A high-severity vulnerability, identified as CVE-2025-59564 with a CVSS score of 8.1, has been discovered in multiple ThemeMove EduMall products. This flaw allows an unauthenticated attacker to read sensitive files from the server, potentially exposing confidential data, system credentials, and application source code. Successful exploitation could lead to a full system compromise, making immediate patching a critical priority.

This vulnerability is a Local File Inclusion (LFI) flaw. It exists because the application fails to properly sanitize user-supplied input used in a file path for a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../). This manipulation tricks the application into including and displaying the contents of arbitrary files on the server's filesystem, such as /etc/passwd or configuration files containing database credentials. In certain scenarios, if an attacker can also upload a file containing malicious PHP code, this LFI vulnerability could be escalated to achieve Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation can lead to a significant data breach, exposing sensitive company information, customer data, and system credentials stored on the server. The consequences of such a breach include severe reputational damage, financial losses from remediation and regulatory fines (e.g., GDPR, CCPA), and loss of customer trust. If an attacker successfully escalates the vulnerability to achieve code execution, they could gain complete control of the affected server, leading to website defacement, service disruption, or the server being used as a pivot point for further attacks against the internal network.

Immediate Action:

• Patch: Apply the security updates provided by the vendor immediately across all affected ThemeMove EduMall instances.
• Monitor and Review: Actively monitor for signs of exploitation. Review web server access logs for any requests containing directory traversal patterns (e.g., ../, %2e%2e/) aimed at sensitive files.

Proactive Monitoring:

• Log Analysis: Implement and review alerts for suspicious web requests targeting PHP files with unusual parameters. Look for patterns indicative of LFI probes in your WAF, IDS/IPS, and web server logs.
• File Integrity Monitoring (FIM): Use FIM tools to monitor for unexpected changes to core application files or the creation of new, unauthorized files in web-accessible directories.
• Network Traffic: Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise and data exfiltration.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, deploy a WAF with a strict ruleset designed to detect and block directory traversal and file inclusion attacks.
• PHP Hardening: Ensure PHP configurations are hardened by disabling allow_url_include and restricting file system access for the web server process using open_basedir.
• Least Privilege: Run the web server and application with the lowest possible user privileges to limit an attacker's access to the filesystem in the event of a successful LFI exploit.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for complete information disclosure and system compromise, this vulnerability poses a critical risk. We strongly recommend that organizations identify all instances of affected ThemeMove EduMall products and apply the vendor-supplied patches immediately. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants treating it with the highest priority to prevent potential data breaches and server compromise.