A high-severity vulnerability has been identified in multiple wpshuffle Subscribe products, which could allow an attacker to access sensitive files on the server. This flaw, known as Local File Inclusion, could be exploited to read confidential data, such as configuration files containing database credentials, or to execute malicious code. Successful exploitation could lead to a full compromise of the affected web server, resulting in data breaches and operational disruption.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement in PHP, commonly known as Local File Inclusion (LFI). An attacker can manipulate an input parameter that the application uses to build a file path for a PHP include or require statement. By crafting a malicious input (e.g., using directory traversal sequences like ../../..), an attacker can force the application to include and execute arbitrary PHP files already present on the server or read the contents of any file readable by the web server process, such as /etc/passwd or wp-config.php.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can lead to significant business consequences, including the unauthorized disclosure of sensitive information such as customer data, intellectual property, and system credentials. An attacker could leverage this access to gain full control of the web server, deface the website, install malware, or use the compromised server as a pivot point for further attacks into the corporate network. The potential outcomes include severe reputational damage, financial loss from remediation efforts, and possible regulatory penalties.

Immediate Action: Apply vendor-supplied security updates to all affected products immediately to patch the vulnerability. Following the update, closely monitor systems for any signs of exploitation attempts by reviewing web server and application access logs for suspicious requests.

Proactive Monitoring: Security teams should actively monitor web server logs for patterns indicative of LFI attacks. This includes searching for requests containing directory traversal sequences (../), references to sensitive system files (e.g., wp-config.php, /etc/passwd), and PHP wrappers like php://filter. Monitor for unexpected file modifications or the creation of new files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI attack patterns. Additionally, harden the server's PHP configuration by disabling allow_url_include and enforcing strict file permissions to limit the web server process's access to only necessary files and directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for complete server compromise, it is strongly recommended that the organization prioritizes the immediate application of vendor-supplied security patches across all affected systems. Although this CVE is not yet on the CISA KEV list, its critical nature warrants urgent attention. Organizations should treat this as a critical threat and act swiftly to mitigate the risk of a potential data breach or system compromise.