A high-severity vulnerability has been identified in the Elated-Themes Academist product, which could allow an unauthenticated remote attacker to execute arbitrary code. This flaw, known as a Remote File Inclusion, enables an attacker to trick the application into running malicious code from an external server, potentially leading to a complete compromise of the affected system. Organizations using the vulnerable software are at significant risk of data breaches, service disruption, and further network intrusion.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement, commonly known as Remote File Inclusion (RFI). The application fails to properly sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. An unauthenticated remote attacker can exploit this by providing a URL to a malicious PHP file hosted on an attacker-controlled server. The vulnerable application will then fetch and execute this external file, giving the attacker full code execution capabilities in the context of the web server user.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to a complete compromise of the web server hosting the Academist product. Potential consequences include theft of sensitive data (such as customer information or intellectual property), installation of malware or ransomware, defacement of the website, and using the compromised server to launch further attacks against the internal network. Such an incident can result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: The primary remediation is to apply the security updates provided by Elated-Themes immediately to all affected systems. After patching, organizations should monitor for any signs of post-exploitation activity by reviewing web server access logs and system logs for unusual requests or connections originating from the time the system was vulnerable.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing external URLs or suspicious file paths in parameters. Network traffic should be monitored for unexpected outbound connections from the web server to unknown IP addresses, which could indicate a successful RFI payload being fetched. File Integrity Monitoring (FIM) should be used to detect the creation of unauthorized files in the web root.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can reduce the risk:

• Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block RFI attack patterns.
• In the PHP configuration file (php.ini), disable remote file inclusion by setting allow_url_include to Off.
• Implement network egress filtering to restrict the web server's ability to make outbound connections to the internet, preventing it from fetching malicious remote files.

Public Exploit Available: Not publicly known at this time

Given the high severity (CVSS 8.1) and the potential for complete system compromise, immediate action is required. We strongly recommend that all organizations using the Elated-Themes Academist product prioritize the deployment of the vendor-supplied security patches. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature makes it a likely target for future exploitation. If patching is delayed, the compensating controls listed above should be implemented as an urgent temporary measure.