A high-severity vulnerability has been identified in the Mikado-Themes Optimize WordPress plugin, which could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation could lead to the disclosure of confidential information, such as database credentials and system configuration files, potentially enabling a complete compromise of the affected website and server. Organizations are urged to apply the vendor-provided security update immediately to mitigate this significant risk.

The vulnerability is a Local File Inclusion (LFI) flaw within the PHP code of the affected software. The application fails to properly sanitize user-supplied input that is used as a filename in an include or require statement. An attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary local files. This could allow the attacker to read the contents of sensitive files, such as wp-config.php, /etc/passwd, or application source code, leading to information disclosure. In certain scenarios, if the attacker can control the contents of a file on the server (e.g., through a separate file upload vulnerability or by poisoning log files), this LFI could be escalated to achieve Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.1, posing a significant risk to the organization. Exploitation could lead to a severe data breach, exposing sensitive company data, customer information, and server credentials. The compromise of a web server could result in website defacement, service disruption, and its use as a pivot point for further attacks into the internal network. The potential business consequences include regulatory fines, reputational damage, loss of customer trust, and significant financial costs associated with incident response and recovery.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected installations immediately. Prioritize patching for internet-facing systems. After patching, organizations should monitor for any signs of exploitation attempts by reviewing web server access logs and system logs for anomalous activity.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal patterns like ../, ..%2f, and ..%c0%af. Look for attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). A Web Application Firewall (WAF) should be configured to detect and block such malicious requests. Monitor for any unexpected PHP processes or outbound network connections from web servers.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block Local File Inclusion (LFI) and directory traversal attacks.
• Harden the web server and PHP configuration. Ensure the web server user has the minimum necessary file system permissions, restricting its ability to read sensitive files outside of the web root.
• Conduct a vulnerability scan to identify all instances of the affected software within the environment.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of a successful exploit, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. All instances of the Mikado-Themes Optimize plugin should be identified and updated without delay, focusing first on internet-accessible web servers. Although this CVE is not currently listed on the CISA KEV list, its severity warrants urgent attention to prevent potential server compromise, data exfiltration, and significant business disruption.