A high-severity vulnerability, identified as CVE-2025-68068, has been discovered in multiple products from Improper. This flaw allows an attacker to trick the application into including and executing local files on the server, potentially leading to sensitive information disclosure or a full system compromise. Organizations are urged to apply vendor patches immediately to mitigate the significant risk of a security breach.

This vulnerability is a Local File Inclusion (LFI) flaw. It exists because the application, specifically within components like the Select-Themes Stockholm theme, fails to properly validate and sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. A remote, unauthenticated attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../) to navigate the server's file system. This forces the application to include and execute arbitrary files from the server, which can lead to sensitive data disclosure (e.g., reading configuration files) or, if combined with a file upload capability, achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation poses a significant threat to business operations. The primary risks include a data breach resulting from an attacker reading sensitive files containing customer data, credentials, or proprietary information. If the attacker escalates the LFI to remote code execution, they could gain complete control of the affected server, leading to a full system compromise, service disruption, and the potential for lateral movement within the network. A public breach stemming from this vulnerability could result in severe reputational damage, regulatory fines, and loss of customer trust.

Immediate Action: Apply vendor-supplied security updates immediately to patch the vulnerability. After patching, it is critical to monitor for any signs of exploitation attempts by thoroughly reviewing application and web server access logs for suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced logging and monitoring to detect exploitation attempts. Security teams should look for the following indicators in web server access logs:

• URL requests containing directory traversal patterns such as ../, ..%2f, %2e%2e/.
• Attempts to access common sensitive files like /etc/passwd, wp-config.php, .env, or application log files through the vulnerable parameter.
• Unusual outbound network connections from the web server, which could indicate a successful compromise and a reverse shell.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically configured to detect and block LFI and directory traversal attack patterns.
• Harden the server's PHP configuration by using the open_basedir directive to restrict the file paths that PHP can access.
• Enforce the principle of least privilege by ensuring the web server process runs with minimal permissions, limiting its ability to read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the High severity (CVSS 7.5) of this vulnerability and the potential for complete system compromise, immediate action is required. Organizations using the affected products must prioritize the deployment of the vendor-provided security patches across all vulnerable systems. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact and the ease of exploitation for this class of flaw demand an urgent response. We strongly recommend implementing the proactive monitoring and compensating controls outlined above to reduce the attack surface and detect potential exploitation attempts.