A high-severity vulnerability has been identified in the Edge-Themes Alloggio - Hotel Booking software. This flaw, known as a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files on the server, potentially leading to the exposure of confidential data, system credentials, and ultimately, full server compromise.

The vulnerability exists due to an improper control of filenames used in PHP's include or require statements. An attacker can exploit this by manipulating an input parameter to include arbitrary files from the local server's filesystem. This could allow the attacker to read sensitive files such as configuration files containing database credentials (wp-config.php), system user files (/etc/passwd), or application source code. In certain scenarios, if the attacker can control the content of a file on the server (e.g., through log poisoning or a separate file upload vulnerability), this flaw could be escalated to achieve Remote Code Execution (RCE).

This vulnerability is rated as high severity with a CVSS score of 8.1. Successful exploitation could have a significant negative impact on the business. An attacker could gain unauthorized access to sensitive company and customer data, leading to a data breach. The disclosure of system credentials or source code could facilitate further attacks on the organization's infrastructure. The potential for full server compromise would grant an attacker complete control, enabling them to disrupt services, install malware, or use the server for malicious activities, resulting in reputational damage, regulatory fines, and financial loss.

Immediate Action: Apply the security updates provided by the vendor across all affected systems immediately. Before deployment, test the patches in a non-production environment to ensure stability. Concurrently, begin reviewing web server access logs for any signs of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Configure security monitoring tools to search for indicators of compromise related to this vulnerability. In web server logs, look for suspicious requests containing directory traversal sequences (e.g., ../, %2e%2e/) or attempts to access common sensitive files (e.g., /etc/passwd, wp-config.php, .env) in request parameters. Monitor for any unusual file read operations by the web server process.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block Local File Inclusion and directory traversal attack patterns. Additionally, enforce strict file system permissions to limit the web server process's access to only necessary files and directories, reducing the impact of a potential breach.

Public Exploit Available: false

Given the high severity (CVSS 8.1) of this vulnerability and its potential to cause a full server compromise, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied security patches. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical nature warrants urgent attention. All internet-facing instances of the affected software should be considered at high risk and must be patched or protected with compensating controls without delay.