A high-severity vulnerability has been identified in the Dream-Theme The7 Elements (dt-the7-core) plugin for WordPress. This flaw, classified as a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files on the web server, such as configuration files containing database credentials. Successful exploitation could lead to sensitive data exposure and potentially a full compromise of the affected website and server.

This is a Local File Inclusion (LFI) vulnerability resulting from the improper sanitization of user-supplied input used in a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a special request that manipulates a parameter to specify a file path on the server. By using path traversal sequences (e.g., ../), the attacker can navigate outside of the intended directory and force the application to include and display the contents of arbitrary files, such as wp-config.php or /etc/passwd, which are accessible to the web server process.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to the unauthorized disclosure of highly sensitive information, including database credentials, application source code, and system configuration files. This information leakage can be a precursor to more severe attacks, such as database compromise, privilege escalation, or a complete server takeover. This poses a significant risk to data confidentiality and integrity, potentially resulting in a data breach, reputational damage, and financial losses.

Immediate Action: Apply vendor security updates immediately. Administrators should update the Dream-Theme The7 Elements (dt-the7-core) plugin to the latest patched version provided by the vendor. After patching, it is critical to monitor for any ongoing exploitation attempts and review historical web server access logs for indicators of compromise.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing common LFI payloads and path traversal sequences, such as ../, ..%2f, or requests attempting to access sensitive files like wp-config.php, /etc/passwd, or .env. Implement alerts for multiple failed requests or unusual patterns targeting the affected plugin's components.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block path traversal and Local File Inclusion attacks. Additionally, ensure the PHP environment is hardened by restricting file system access with open_basedir and confirming that the web server process runs with the lowest possible privileges.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the risk of sensitive data exposure, we recommend immediate and urgent action. All organizations utilizing the Dream-Theme The7 Elements plugin must prioritize the deployment of the vendor-supplied security patch. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential impact warrants treating it with the highest priority to prevent future compromise.