A high-severity vulnerability has been identified in the Saxon WordPress theme, which allows for Local File Inclusion (LFI). An unauthenticated attacker could exploit this flaw to read sensitive files from the underlying server, such as configuration files containing database credentials. Successful exploitation could lead to a significant data breach and potential full system compromise.

The vulnerability, classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), exists within the Saxon WordPress theme. The application fails to properly sanitize user-supplied input that is used as a path in a PHP include or require statement. An unauthenticated remote attacker can manipulate this input to include arbitrary local files on the server. By crafting a malicious request containing path traversal sequences (e.g., ../), an attacker can force the application to read and display the contents of sensitive files, such as wp-config.php or /etc/passwd, within the web server's response.

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could have a severe impact on the business, leading to a major data breach. If an attacker successfully reads the wp-config.php file, they will gain access to database credentials, which could be used to access, modify, or exfiltrate all data stored in the website's database. This exposure of sensitive customer data or proprietary information can result in significant financial loss, regulatory fines, and irreparable damage to the organization's reputation and customer trust.

Immediate Action:

• Identify all WordPress instances using the "Saxon" theme and immediately update it to the latest version provided by the vendor (dedalx).
• If the Saxon theme is installed but not active or no longer needed on any WordPress site, it should be completely removed to eliminate the attack surface.

Proactive Monitoring:

• Review web server access logs for requests containing path traversal characters (e.g., ../, ..\/) or requests attempting to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env).
• Implement File Integrity Monitoring (FIM) on critical server files to detect any unauthorized access or changes.
• Monitor for unusual outbound network traffic from the web server, which could indicate a post-exploitation data exfiltration attempt.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and path traversal attack patterns.
• Harden the underlying server's PHP configuration by using the open_basedir directive to restrict the file paths that PHP is allowed to access.
• Ensure the web server process runs under a low-privileged user account to limit the scope of files an attacker can read if the vulnerability is exploited.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the potential for complete database compromise, this vulnerability poses a significant risk to the organization. It is strongly recommended that all system administrators immediately identify assets running the vulnerable Saxon WordPress theme and apply the necessary updates without delay. Although this CVE is not currently listed on the CISA KEV catalog, its severity and the ubiquity of WordPress warrant immediate attention. Prioritize patching on production and internet-facing systems, and consider removing the theme entirely if it is not essential to business operations.