A high-severity vulnerability has been identified in multiple ThemeMove EduMall products, assigned CVE-2025-68061. This flaw allows an attacker to trick the application into including and executing unintended files from the server, a technique known as Local File Inclusion (LFI). Successful exploitation could lead to the exposure of sensitive information, such as server configuration files and user credentials, and may potentially result in full system compromise.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An unauthenticated remote attacker can manipulate an input parameter, likely in the URL, to specify a path to an arbitrary file on the server's local filesystem. The application fails to properly sanitize this input, causing the server to include and process the specified file, revealing its contents to the attacker or, in some cases, executing embedded PHP code within it.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation could have a significant business impact by enabling attackers to access and exfiltrate sensitive data stored on the web server. This includes database credentials from configuration files (e.g., wp-config.php), system user information, and proprietary application source code. A successful attack could lead to a severe data breach, regulatory penalties, loss of customer trust, and reputational damage. If an attacker can leverage this LFI to achieve remote code execution, they could gain complete control of the affected server, disrupting business operations and using it as a launch point for further attacks.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected products. After patching, organizations should actively monitor web server and application logs for any signs of attempted or successful exploitation and review historical logs for indicators of a prior compromise.

Proactive Monitoring: Security teams should configure monitoring to detect potential LFI attack patterns in web access logs. Look for suspicious requests containing directory traversal sequences (e.g., ../, ..%2f) or references to sensitive system files (e.g., /etc/passwd, wp-config.php) in URL parameters. Monitor for anomalous file access activity by the web server user account on the host system.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block directory traversal and LFI attack patterns. Additionally, harden the server environment by enforcing the principle of least privilege for the web server's user account, ensuring it cannot access files outside of its designated directories. Restricting PHP's open_basedir directive can also help limit the scope of a potential LFI exploit.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for sensitive data exposure and system compromise, we strongly recommend that organizations using affected ThemeMove EduMall products prioritize the immediate application of vendor-supplied security patches. Although there is no evidence of active exploitation, the risk of a future attack is significant. Organizations should treat this as a critical vulnerability and implement the recommended remediation and monitoring actions without delay to mitigate potential business impact.