A high-severity vulnerability has been discovered in multiple StylemixThemes products, identified as CVE-2025-64359. This flaw allows an unauthenticated attacker to trick the website into revealing sensitive files from the server's local filesystem, potentially exposing confidential data such as configuration details and user credentials, which could lead to a full server compromise. Organizations using the affected software should prioritize applying the vendor-provided security updates to mitigate this significant risk.

This vulnerability is a Local File Inclusion (LFI) flaw resulting from an Improper Control of a Filename for an Include/Require Statement in the PHP code. The application fails to properly sanitize user-supplied input that is used to construct a file path for functions like include() or require(). An unauthenticated remote attacker can exploit this by crafting a malicious request, typically manipulating a URL parameter with directory traversal sequences (e.g., ../../), to force the application to include and display the contents of arbitrary files on the server's filesystem. This could expose sensitive information like wp-config.php, /etc/passwd, or other critical configuration files.

This is a High severity vulnerability with a CVSS score of 7.5. Successful exploitation could have a severe impact on the business by compromising the confidentiality and integrity of the web application and underlying server. An attacker could read sensitive configuration files to obtain database credentials, which could then be used to access, modify, or exfiltrate sensitive company or customer data. This exposure could lead to a significant data breach, reputational damage, regulatory fines, and a loss of customer trust. In scenarios where an attacker can combine this LFI with a file upload capability, it could be escalated to full Remote Code Execution (RCE), allowing for a complete takeover of the server.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor, StylemixThemes, to all affected products immediately. Before patching, create a backup of your website and database. After applying the update, verify that the website is functioning correctly.

Proactive Monitoring: Review historical and current web server access logs for patterns indicative of LFI exploitation attempts. Look for suspicious requests containing directory traversal payloads (../, ..%2f, ..%c0%af), file paths to sensitive system files (e.g., /etc/passwd, wp-config.php), or PHP wrappers like php://filter. Implement alerts for such patterns to enable rapid detection of future attempts.

Compensating Controls: If patching cannot be performed immediately, the following compensating controls can help reduce the risk:

• Web Application Firewall (WAF): Implement a WAF with a robust ruleset designed to detect and block common LFI and directory traversal attack patterns.
• Harden PHP Configuration: Ensure that allow_url_include and allow_url_fopen are set to Off in the php.ini configuration file to prevent this vulnerability from being escalated to the more critical Remote File Inclusion (RFI).
• File Permissions: Enforce the principle of least privilege by tightening file system permissions for the web server user, ensuring it cannot read files outside of the web root directory.

Public Exploit Available: false

Due to the High severity (CVSS 7.5) of this vulnerability and its potential to cause a significant data breach, immediate action is required. It is strongly recommended to apply the vendor-supplied security patches to all affected StylemixThemes products as the top priority. If patching is delayed, immediately implement compensating controls, particularly by deploying a Web Application Firewall (WAF) to block exploitation attempts. Proactive monitoring of web server logs should be enhanced to detect any signs of compromise. Although this vulnerability is not currently on the CISA KEV list, its high potential for abuse warrants immediate and decisive remediation.