A high-severity vulnerability has been identified in multiple PenciDesign Soledad products, allowing for Local File Inclusion (LFI). An unauthenticated attacker could exploit this flaw to read sensitive files from the underlying server, potentially exposing credentials, configuration details, and other confidential data. This exposure could lead to further unauthorized access and compromise of the web server.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from the improper sanitization of user-supplied input used in PHP include or require statements. An attacker can manipulate input parameters to include arbitrary local files from the server's filesystem. For example, an attacker could craft a request to read sensitive files like /etc/passwd or application configuration files (e.g., wp-config.php), leading to the disclosure of system information, user credentials, and database connection strings. In some scenarios, if combined with other vulnerabilities, this could be escalated to achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 7.5, posing a significant risk to the organization. Successful exploitation could lead to a serious data breach through the theft of sensitive information, including customer data, intellectual property, and system credentials. The resulting impact could include reputational damage, financial loss, regulatory fines, and the potential for a full system compromise if an attacker leverages the disclosed information to gain further access to the network.

Immediate Action: All system administrators should immediately apply the security updates provided by PenciDesign to all affected products. After patching, it is critical to review web server and application access logs for any signs of exploitation that may have occurred prior to remediation.

Proactive Monitoring: Security teams should implement enhanced monitoring of web server logs, specifically looking for suspicious requests containing path traversal sequences (e.g., ../, ..%2F) or attempts to access common sensitive files. Monitor for unusual file read operations on the server, especially those originating from the web server process.

Compensating Controls: If immediate patching is not feasible, organizations should implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attacks. Additionally, consider hardening the PHP configuration by restricting file system access for the web server user using features like open_basedir.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical nature of the potential data exposure, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patches to all internet-facing systems running the affected PenciDesign Soledad products. Although this CVE is not currently listed on the CISA KEV catalog, its potential for enabling initial access and data theft makes it an attractive target for attackers. Proactive patching and vigilant monitoring are essential to mitigate the significant risk this vulnerability presents.