A high-severity vulnerability has been identified in multiple ApusTheme Famita products. This flaw, known as a Local File Inclusion, allows an unauthenticated attacker to trick the web server into displaying the contents of sensitive files, potentially exposing confidential data such as database credentials and system configurations. Immediate patching is required to prevent potential data breaches and further system compromise.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement in PHP, commonly known as Local File Inclusion (LFI). An attacker can exploit this by manipulating an input parameter to specify a path to a file on the server's local filesystem. The vulnerable PHP application then includes and executes or renders the contents of the specified file, allowing the attacker to read sensitive information such as configuration files (wp-config.php), system user lists (/etc/passwd), or other application source code.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to significant business impact, including the exposure of sensitive corporate data, customer information, and intellectual property. An attacker gaining access to database credentials or API keys from configuration files could lead to a complete system compromise, unauthorized data access and modification, and potential data exfiltration. This can result in severe reputational damage, regulatory fines, and financial loss.

Immediate Action: Apply vendor security updates immediately across all affected products to patch the vulnerability. After patching, monitor for any signs of exploitation attempts by reviewing web server access logs and system logs for suspicious activity that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing path traversal sequences (e.g., ../, ..%2f) or attempts to access common sensitive files. Implement file integrity monitoring on critical system and application files to detect unauthorized changes. Monitor for unusual PHP errors in logs, which could indicate failed LFI attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rulesets designed to detect and block LFI and path traversal attacks. Additionally, enforce strict file system permissions to ensure the web server process only has access to the files it legitimately needs, limiting the impact of a potential breach.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical nature of information disclosure vulnerabilities, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patches. Although this CVE is not currently listed on the CISA KEV catalog, its severity and the potential for straightforward exploitation warrant urgent attention. Organizations should treat this as a critical threat and implement the recommended remediation and monitoring steps without delay to mitigate the risk of a data breach.