A high-severity vulnerability has been identified in multiple axiomthemes Good Mood products, assigned CVE-2025-58894. This flaw allows an attacker to trick the application into reading and displaying sensitive files from the server's local file system, potentially exposing confidential data like system passwords, configuration files, and application source code. Immediate patching is required to prevent unauthorized access to sensitive information and potential further system compromise.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an Improper Control of a Filename for an Include/Require Statement in the underlying PHP code. An attacker can exploit this by manipulating an input parameter that the application uses to construct a file path. By crafting a malicious request containing directory traversal sequences (e.g., ../), an unauthenticated remote attacker can force the application to include and render the contents of arbitrary files on the server's filesystem, limited only by the web server's file permissions. This could expose sensitive data such as wp-config.php, /etc/passwd, or other critical system and application files.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could lead to significant business impact, including the disclosure of sensitive information such as database credentials, API keys, and internal system configurations. This exposure could facilitate further attacks, leading to a full system compromise, data breaches involving customer or corporate information, reputational damage, and potential regulatory fines for non-compliance with data protection standards.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor to all affected products immediately. Prioritize patching for all internet-facing systems. After patching, review web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server access logs for suspicious requests targeting the affected software. Look for patterns indicative of LFI attacks, such as the inclusion of directory traversal sequences (../, ..%2F), absolute file paths (e.g., /etc/passwd), or PHP wrappers (php://filter) in request parameters. An increase in HTTP 4xx or 5xx error codes from the application could also indicate failed exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns. Additionally, enforce the principle of least privilege by ensuring the web server process runs with minimal permissions, restricting its ability to read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the critical risk of sensitive information disclosure, this vulnerability requires immediate attention. Although it is not currently listed on the CISA KEV list and no public exploits are available, the risk of future exploitation is significant. We strongly recommend that all organizations using the affected axiomthemes products apply the vendor-provided security patches on an emergency basis to mitigate the risk of a data breach and further system compromise.