A high-severity vulnerability has been identified in the LiquidThemes Hub Core, a component used across multiple products. This flaw allows an attacker to trick the web server into including and executing local files, potentially leading to the exposure of sensitive information, such as configuration files containing credentials, or a complete compromise of the affected server. Organizations using the affected software are at significant risk of data breach and system takeover.

The vulnerability is a Local File Inclusion (LFI) flaw within the Hub Core component. It exists because the application uses user-supplied input to construct a filename for a PHP include or require statement without proper validation. An unauthenticated remote attacker can exploit this by manipulating an input parameter (e.g., in the URL) with directory traversal sequences (e.g., ../../..) to force the application to include and execute arbitrary files from the server's local filesystem. Successful exploitation could allow an attacker to read sensitive files like /etc/passwd or application configuration files, and in some scenarios, could be escalated to achieve Remote Code Execution (RCE) if the attacker can write a PHP file to a readable location on the server.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant negative impact on the business. The most direct risk is a data breach, where an attacker could exfiltrate sensitive data including customer information, internal credentials, and intellectual property, leading to regulatory fines and reputational damage. If the vulnerability is leveraged to achieve full remote code execution, an attacker could gain complete control of the server, allowing them to install malware, pivot to other systems within the internal network, or disrupt critical business operations by causing a denial-of-service condition.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor to all affected systems immediately. After patching, it is crucial to monitor systems for any signs of exploitation that may have occurred prior to the update. This includes a thorough review of web server access logs and system logs for any suspicious activity or indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring to detect exploitation attempts. Security teams should look for the following in web server access logs:

• Requests containing directory traversal patterns such as ../, ..%2f, or their encoded variants.
• Attempts to access common sensitive system or application files (e.g., /etc/passwd, wp-config.php, .env).
• Unusual error messages or unexpected application behavior that could indicate a failed inclusion attempt. File Integrity Monitoring (FIM) should be used to alert on unauthorized changes to web application files.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can help mitigate risk:

• Web Application Firewall (WAF): Deploy a WAF with rulesets designed to block LFI and directory traversal attacks. Ensure the WAF is in blocking mode, not just logging.
• PHP Hardening: Configure the PHP environment to be more secure by setting the open_basedir directive, which restricts the files that can be accessed by PHP to a specified directory tree.
• Principle of Least Privilege: Ensure the web server's user account has the minimum necessary permissions to read and execute files, limiting its access to sensitive areas of the filesystem.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential for leading to a full system compromise, we strongly recommend that organizations prioritize the immediate patching of all affected LiquidThemes products. While this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its public disclosure makes it a prime target for future exploitation. If patching cannot be completed immediately, the compensating controls listed above, particularly the deployment of a Web Application Firewall, should be implemented as a matter of urgency to reduce the attack surface.