A high-severity vulnerability has been identified in the Select-Themes Stockholm Core plugin, affecting multiple products. This flaw allows an attacker to trick the web server into including and executing unintended files from the local system, which can lead to sensitive information disclosure or a complete server compromise. Organizations using the affected software are at significant risk of data breaches and unauthorized system access.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An unauthenticated remote attacker can exploit this by manipulating an input parameter to include a path to an arbitrary file on the server's local filesystem. Successful exploitation could allow the attacker to read sensitive files, such as wp-config.php containing database credentials, or execute arbitrary code if they can first upload a malicious file to the server.

This vulnerability is rated as High severity with a CVSS score of 7.5, posing a significant risk to the business. Exploitation could lead to the theft of sensitive company and customer data, resulting in financial loss, regulatory fines, and severe reputational damage. An attacker could also gain full control of the affected web server, using it to launch further attacks, host malware, or cause a complete service outage, directly impacting business operations and customer trust.

Immediate Action: Immediately apply the security updates provided by Select-Themes to patch the vulnerability. After patching, review web server access logs and file integrity monitoring logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests containing path traversal sequences (e.g., ../, ..%2F) or attempts to access common sensitive files (e.g., /etc/passwd, wp-config.php). Monitor for unusual outbound network traffic or unexpected processes being executed by the web server user (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and path traversal attack patterns. Additionally, harden the server's PHP configuration by disabling allow_url_include and ensure the web server process has the minimum necessary file system permissions, preventing it from accessing sensitive files outside of the web root.

Public Exploit Available: false

Due to the high severity (CVSS 7.5) of this vulnerability and the potential for complete system compromise, we strongly recommend that organizations prioritize applying the vendor-supplied patch immediately. Although this CVE is not currently listed on the CISA KEV list, the ease of exploitation for LFI vulnerabilities presents a clear and present danger to affected systems. All internet-facing servers running the vulnerable Stockholm Core plugin should be considered at high risk and patched without delay.