A high-severity vulnerability has been identified in multiple AncoraThemes products, including HealthHub. This flaw allows an unauthenticated attacker to trick the web server into including and executing unintended local files, potentially leading to sensitive information disclosure or a full system compromise. Organizations using the affected software are at significant risk and should apply security updates immediately.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from the improper sanitization of user-supplied input. An attacker can manipulate a parameter that the application uses to build a file path for a PHP include() or require() statement. By crafting a malicious request containing directory traversal sequences (e.g., ../) or absolute file paths, an attacker can force the application to include and process arbitrary files from the local server, granting them access to data that should be restricted. This could allow the attacker to read sensitive configuration files (such as wp-config.php), system files (like /etc/passwd), or, if combined with a file upload capability, achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could have severe consequences for the business, including the disclosure of sensitive data such as database credentials, customer information, and application source code. This exposure could lead to a significant data breach, resulting in regulatory fines, reputational damage, and loss of customer trust. If an attacker leverages this LFI to achieve remote code execution, they could gain complete control of the affected server, enabling them to pivot to other systems within the network, disrupt business operations, or deploy ransomware.

Immediate Action: Apply the security updates provided by AncoraThemes to all affected products immediately. After patching, monitor web server access logs and security tools for any signs of attempted or successful exploitation that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing classic LFI patterns, such as directory traversal characters (../, ..%2f, ..\), absolute file paths, and PHP filter wrappers (php://filter). Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise. File Integrity Monitoring (FIM) should be used to detect unauthorized modifications to application or system files.

Compensating Controls: If immediate patching is not possible, the following controls can help mitigate risk:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset designed to detect and block LFI and directory traversal attack patterns.
• PHP Configuration Hardening: Ensure allow_url_include is disabled in the php.ini configuration to prevent this LFI from being escalated to a Remote File Inclusion (RFI) attack.
• File System Permissions: Enforce the principle of least privilege by ensuring the web server's user account has restrictive read/write permissions and cannot access sensitive files or directories outside of the web root.

Public Exploit Available: false

This is a high-severity vulnerability that presents a clear and immediate risk of information disclosure and potential server compromise. Given the CVSS score of 8.2 and the ease of exploitation for LFI flaws, organizations must prioritize remediation. Although CVE-2025-58898 is not currently on the CISA KEV catalog, its severity warrants an urgent response. We strongly recommend that all organizations using affected AncoraThemes products apply the vendor-supplied security patches immediately. If patching is delayed, implement the recommended compensating controls, particularly a WAF, and heighten monitoring for any related indicators of attack.