A high-severity vulnerability has been identified in the Hinnerk Altenburg Immocaster WordPress plugin, which could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation could lead to the exposure of confidential data, such as website configuration details and database credentials, potentially enabling further system compromise. Organizations using the affected plugin are urged to apply the recommended updates immediately to mitigate this risk.

The vulnerability is a Local File Inclusion (LFI) flaw within the Immocaster plugin. It arises from the improper sanitization of user-supplied input that is used to construct a file path for a PHP include or require statement. An attacker can exploit this by crafting a malicious request that manipulates the input to traverse the file system and specify an arbitrary file on the server. The server would then process and potentially display the contents of the requested file, such as wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation can lead to significant business impact, including the breach of sensitive data and intellectual property. An attacker could leverage the exposed information, particularly database credentials, to gain unauthorized access to the website's database, steal customer information, or deface the website. Such an incident could result in severe reputational damage, loss of customer trust, and potential regulatory fines for data breaches.

Immediate Action: The primary remediation is to update the affected "Immocaster" WordPress plugin to the latest patched version provided by the vendor. If the plugin is not critical to business operations, a secondary option is to disable and remove it entirely from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious requests targeting the Immocaster plugin. Look for patterns indicative of LFI attacks, such as directory traversal sequences (../, ..\/) and requests for common sensitive files (wp-config.php, /etc/passwd, .env) within URL parameters. Use a file integrity monitoring (FIM) system to alert on unauthorized access to or changes in critical configuration files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns. Additionally, ensure PHP is configured securely by hardening the php.ini file (e.g., disabling allow_url_include) and enforce strict file system permissions to limit the files the web server process is authorized to read.

Public Exploit Available: false

Given the high severity score (CVSS 8.1) and the critical nature of the data that can be exposed, we strongly recommend that organizations identify all instances of the Immocaster WordPress plugin and apply the vendor-supplied patch immediately. While this vulnerability is not currently on the CISA KEV list, its potential for data exfiltration presents a significant risk. Prioritize this patch to prevent potential data breaches and subsequent system compromise.