A high-severity vulnerability has been identified in the fuelthemes North - Required Plugin (north-plugin), affecting multiple products. This flaw allows an attacker to read sensitive files directly from the web server, potentially exposing confidential information such as configuration details, database credentials, and system user data. Successful exploitation could lead to a complete compromise of the affected website and its underlying server.

The vulnerability is a Local File Inclusion (LFI) flaw within the north-plugin. It stems from an improper control of filenames used in PHP's include or require statements. An unauthenticated remote attacker can craft a special request to the web server, manipulating a parameter to force the application to include and display the contents of arbitrary files on the local filesystem. For example, an attacker could request files like /etc/passwd to enumerate system users or wp-config.php to steal database credentials.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can have a significant business impact, leading to the unauthorized disclosure of sensitive information. The primary risks include the theft of intellectual property, customer data, and critical credentials stored on the server. This can result in a severe data breach, financial loss, reputational damage, and potential regulatory penalties for non-compliance with data protection standards.

Immediate Action: Organizations must apply the security updates provided by the vendor (fuelthemes) to all affected systems immediately. After patching, it is crucial to review web server access logs for any signs of past or ongoing exploitation attempts targeting this vulnerability.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious GET or POST requests containing directory traversal sequences (e.g., ../, ..\/) or requests for sensitive system files (e.g., wp-config.php, /etc/passwd, .env). Implement alerts for unusual PHP errors or unexpected file access patterns on the server, which could indicate an LFI attempt.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns. Additionally, harden the server's PHP configuration by ensuring allow_url_include is disabled and restrict file permissions so the web server process can only access necessary files.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical impact of a successful exploit, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patches. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its nature makes it an attractive target for opportunistic attackers. All affected assets should be patched or have compensating controls applied without delay to prevent potential data breaches.