A high-severity vulnerability has been identified in multiple ThemeMove SmilePure products, allowing for Local File Inclusion (LFI). An unauthenticated attacker can exploit this flaw to read sensitive files from the underlying server, potentially exposing credentials, system configurations, and other confidential data. This could lead to further system compromise and a significant data breach.

The vulnerability exists due to improper input validation on filenames used in PHP include or require statements. An attacker can manipulate input parameters, such as a URL query string, to include directory traversal sequences (../). This tricks the application into including and displaying the contents of arbitrary files from the server's local file system, rather than the intended file. Successful exploitation allows an attacker to read sensitive files like /etc/passwd, application configuration files containing database credentials, or server logs.

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could lead to a significant data breach through the unauthorized disclosure of sensitive information, including customer data, intellectual property, and system credentials. The exposure of configuration files could provide an attacker with the necessary information to escalate their privileges or pivot to other systems within the network. This can result in severe financial loss, reputational damage, and regulatory penalties.

Immediate Action: Apply the security updates provided by the vendor immediately across all affected products. After patching, review web server access logs for any signs of past exploitation attempts, such as unusual requests containing file path traversal characters.

Proactive Monitoring: System administrators should actively monitor web server logs for requests containing directory traversal patterns (e.g., ../, ..%2f, ..\\). Implement file integrity monitoring on critical system and application files to detect unauthorized access or changes. Monitor for outbound network traffic to unusual destinations, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and directory traversal attacks. Additionally, harden server configurations by restricting the web server's file system permissions to the absolute minimum required for operation and ensure PHP's open_basedir directive is configured to limit the files that can be accessed.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the potential for sensitive data exposure, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied security patches. Although this CVE is not currently listed on the CISA KEV list, its high severity makes it a prime target for opportunistic attackers. Organizations should treat this as a critical finding and act swiftly to mitigate the risk of a potential system compromise or data breach.