A high-severity vulnerability has been identified in the DFDevelopment Ronneby Theme Core, which could allow an unauthenticated attacker to access and read sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as configuration files and user credentials, and may potentially lead to further system compromise. Organizations using the affected products are urged to apply security updates immediately to mitigate this risk.

The vulnerability is a Local File Inclusion (LFI) within the ronneby-core component. The software fails to properly sanitize user-supplied input that is used as a filename in a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a special request, typically manipulating a URL parameter, to include arbitrary local files from the server's filesystem. For example, an attacker could force the application to read and display the contents of sensitive files like /etc/passwd or application configuration files containing database credentials.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can have a significant business impact by compromising the confidentiality and integrity of the web application and underlying server. Key risks include the theft of sensitive data (customer information, intellectual property, credentials), which can lead to regulatory fines and reputational damage. If an attacker can combine this LFI with a file upload capability, it could escalate to arbitrary code execution, resulting in a full system compromise, service disruption, and use of the server for malicious activities.

Immediate Action: Immediately apply the security updates provided by DFDevelopment Ronneby to all affected systems. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring of web server logs for common LFI attack patterns, such as directory traversal sequences (../, ..%2f, %2e%2e%2f) in URL parameters. Monitor for unusual requests attempting to access sensitive system files (e.g., wp-config.php, /etc/shadow) and watch for PHP errors related to failed include() or require() functions.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Additionally, ensure PHP configurations are hardened by disabling allow_url_include and enforcing strict file permissions on the web server to limit the web process's access to sensitive directories.

Public Exploit Available: false

Given the high CVSS score of 7.5 and the critical nature of Local File Inclusion vulnerabilities, it is strongly recommended that organizations prioritize the immediate deployment of the vendor-supplied patches. Although this CVE is not currently listed on the CISA KEV list, its potential for sensitive data exposure and system compromise makes it an attractive target. Organizations should treat this as a critical priority and apply compensating controls like a WAF if patching is delayed for any reason.