A high-severity vulnerability has been identified in multiple StylemixThemes products, allowing for Local File Inclusion (LFI). An unauthenticated attacker could exploit this flaw to read sensitive files from the web server, such as configuration files containing database credentials, potentially leading to further system compromise or data exposure. Immediate patching is required to mitigate the significant risk to confidentiality and system integrity.

The vulnerability, classified as an Improper Control of Filename for Include/Require Statement, exists within the consulting-elementor-widgets component. An attacker can manipulate an input parameter that is used in a PHP include or require statement. By crafting a malicious request containing directory traversal sequences (e.g., ../../..), an attacker can trick the application into including and rendering arbitrary files from the local server filesystem, granting them unauthorized read access to sensitive data.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to the disclosure of highly sensitive information, including website source code, system user information, and critical configuration files like wp-config.php which contains database credentials. This exposure could facilitate further attacks, leading to a complete system compromise, unauthorized data modification, or significant data breaches. The potential business impact includes reputational damage, loss of customer trust, and non-compliance with data protection regulations.

Immediate Action: Apply the security updates provided by StylemixThemes to all affected products immediately. This is the most effective way to eliminate the vulnerability. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Monitor web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e%2f) in URL parameters. Implement file integrity monitoring on critical system and application files to detect unauthorized changes. Monitor for unusual PHP errors in logs, which could indicate failed LFI attempts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and directory traversal attacks. Additionally, ensure PHP configurations are hardened by disabling allow_url_include and restricting file access with open_basedir. Enforce the principle of least privilege for the web server user account to limit the scope of accessible files.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical nature of the data that could be exposed, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patches. Although there is no evidence of active exploitation, the risk of data disclosure and further compromise is significant. Organizations should treat this as an urgent priority and implement the recommended monitoring and compensating controls to ensure a robust defense-in-depth security posture.