A high-severity vulnerability has been identified in multiple CodexThemes TheGem products, which could allow an unauthenticated remote attacker to execute arbitrary code. Successful exploitation of this vulnerability would grant an attacker full control over the affected website, potentially leading to data theft, website defacement, or further compromise of the server. Immediate patching is required to mitigate this critical risk.

The vulnerability is a Remote File Inclusion (RFI) flaw within the PHP code of the affected components. The application fails to properly sanitize user-supplied input that is used as a filename in an include or require statement. An unauthenticated attacker can exploit this by crafting a request that points to a malicious PHP file hosted on an external server, causing the vulnerable web server to download and execute the attacker's code with the privileges of the web server process.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to a complete compromise of the web application and the underlying server. Potential consequences include the theft of sensitive data such as customer information or intellectual property, service disruption, reputational damage, and financial loss. The compromised server could also be used to host malicious content, launch attacks against other systems, or serve as a pivot point into the organization's internal network.

Immediate Action:

• Apply the security updates provided by CodexThemes to all affected products immediately.
• After patching, review web server access logs and system logs for any signs of compromise or exploitation attempts that may have occurred prior to the patch application.

Proactive Monitoring:

• Monitor web server logs for suspicious GET or POST requests containing full URLs or IP addresses in parameters, which is a common indicator of an RFI attempt.
• Monitor network traffic for unusual outbound connections from the web server, as this could indicate a successful RFI payload communicating with a command-and-control server.
• Implement file integrity monitoring to detect unauthorized changes to files within the web application's directory.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block RFI attack patterns.
• In the server's php.ini configuration file, disable allow_url_include and allow_url_fopen. Note that this may impact legitimate website functionality and should be thoroughly tested.
• Implement strict egress filtering on the network firewall to prevent the web server from making outbound connections to untrusted external hosts.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of a successful Remote File Inclusion attack, we strongly recommend that organizations prioritize the immediate application of the vendor-provided security patches. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity and the ease of exploitation make it a significant threat. All internet-facing systems running the affected CodexThemes products should be considered at high risk and remediated without delay.