A high-severity vulnerability has been identified in multiple hashthemes Easy products, specifically affecting the Easy Elementor Addons. This flaw, a Local File Inclusion, could allow an unauthenticated attacker to access and read sensitive files on the web server by manipulating input parameters. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system configuration files, potentially resulting in a full system compromise.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement in a PHP Program, commonly known as Local File Inclusion (LFI). The Easy Elementor Addons fail to properly sanitize user-supplied input that is passed to a PHP include or require function. An attacker can exploit this by crafting a request containing directory traversal sequences (e.g., ../) to navigate the server's file system and specify an arbitrary file to be included. This allows the attacker to read the contents of sensitive files, such as wp-config.php or /etc/passwd, leading to information disclosure. If the attacker can combine this with a file upload capability, it could be escalated to achieve remote code execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant negative impact on the business. The primary risk is a data breach resulting from an attacker reading sensitive files containing database credentials, API keys, or personally identifiable information (PII). This could lead to substantial reputational damage, loss of customer trust, and potential regulatory fines. If escalated to remote code execution, an attacker could gain complete control of the affected web server, using it to disrupt services, steal more data, or pivot to other systems within the internal network.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected systems. Prioritize patching on internet-facing servers to reduce the attack surface. After patching, review web server access logs for any signs of past or ongoing exploitation attempts targeting this vulnerability.

Proactive Monitoring: Implement continuous monitoring of web server logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e/) or attempts to access common sensitive files. Monitor for any unusual outbound network connections from the web server, which could indicate a successful compromise. Utilize a File Integrity Monitoring (FIM) solution to detect unauthorized file modifications or the creation of suspicious files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block LFI and directory traversal attacks.
• Harden the server's PHP configuration by using the open_basedir directive to restrict the directories from which PHP can read files.
• Ensure the web server process runs with the principle of least privilege, restricting its access to only necessary files and directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for severe business impact, including data breaches and server compromise, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. Although this vulnerability is not yet on the CISA KEV list, the ease with which LFI flaws can be exploited necessitates urgent action. If patching is delayed, the compensating controls outlined above, particularly the use of a WAF, should be implemented as a temporary measure. A comprehensive review of access logs is crucial to detect any historical compromise.