A high-severity vulnerability has been identified in multiple ThemeMove MinimogWP products for WordPress. This flaw, a Local File Inclusion (LFI), could allow an unauthenticated attacker to read sensitive files from the web server, potentially exposing confidential data such as database credentials and system configuration files. Successful exploitation could lead to a full system compromise.

The vulnerability exists due to an improper control of filenames used in PHP's include or require statements within the MinimogWP theme. An attacker can manipulate input parameters, likely in a URL, to inject path traversal sequences (e.g., ../). This tricks the application into including a file from an unintended location on the server's local filesystem, allowing the attacker to read the contents of arbitrary files that the web server process has permissions to access, such as wp-config.php or /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business consequences, including the exposure of highly sensitive information like database credentials, API keys, and other proprietary data stored on the server. This could result in a severe data breach, financial loss, reputational damage, and regulatory penalties. If an attacker can leverage this vulnerability to read sensitive files, they may gain further access to the system, potentially leading to a complete server compromise.

Immediate Action: Organizations must apply the security updates provided by the vendor immediately to patch the affected MinimogWP theme. After patching, it is crucial to monitor web server access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests targeting the affected theme. Look for URL patterns containing path traversal sequences like ../, ..%2f, or absolute file paths in request parameters. Monitor for unusual read access to sensitive system files by the web server user account.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block path traversal and local file inclusion attacks. Additionally, harden the server's PHP configuration by ensuring allow_url_include is disabled and configuring open_basedir to restrict file access to only necessary directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for sensitive data exposure, it is strongly recommended that organizations prioritize the immediate patching of this vulnerability. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the risk of exploitation is significant. Organizations should apply the vendor-supplied updates without delay and implement the proactive monitoring and compensating controls outlined above to reduce their risk profile.