A high-severity vulnerability has been identified in multiple products from the vendor Improper, specifically within the Mikado-Themes Hendon theme. This flaw, a type of Remote File Inclusion, allows an unauthenticated attacker to trick the application into including and executing malicious files or exposing sensitive local files on the server. Successful exploitation could lead to complete system compromise, data theft, or service disruption.

The vulnerability is an Improper Control of Filename for an Include/Require Statement in a PHP program, commonly known as Remote File Inclusion (RFI) which allows for Local File Inclusion (LFI). An attacker can manipulate an input parameter, likely in a URL, that the application uses to include a file. By crafting a special request containing directory traversal sequences (e.g., ../) or a path to a sensitive system file, an unauthenticated remote attacker can force the server to read and display the contents of local files it would not normally have access to, such as configuration files containing credentials or system user information.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on the business. An attacker could access sensitive data, including customer information, intellectual property, and internal credentials, leading to data breaches and regulatory penalties. Furthermore, if the vulnerability allows for code execution, the attacker could gain complete control of the affected server, using it to launch further attacks, disrupt services, or install persistent malware, resulting in significant reputational damage and financial loss.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the patch being applied.

Proactive Monitoring: Implement continuous monitoring of web server logs for suspicious requests. Look for URL patterns containing directory traversal sequences like ../, ..%2f, or absolute file paths (e.g., /etc/passwd, C:\boot.ini). Monitor for outbound connections from the web server to unusual IP addresses, which could indicate a successful Remote File Inclusion attack.

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI/RFI attack patterns. Additionally, harden the PHP server configuration by disabling allow_url_fopen and allow_url_include to prevent remote file inclusion, and ensure the web server process runs with the lowest possible privileges to limit the impact of a potential breach.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of a successful exploit, this vulnerability poses a significant risk to the organization. Although it is not currently listed on the CISA KEV catalog, its severity warrants immediate attention. We strongly recommend that the vendor-supplied patches are applied on an emergency basis. If patching is delayed, the implementation of compensating controls, such as a WAF, is critical to mitigate the immediate risk.