A high-severity vulnerability has been identified in multiple reDim GmbH CookieHint products for WordPress. This flaw, known as a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files from the underlying server by manipulating how the application includes files. Successful exploitation could lead to the exposure of confidential data, such as website configuration files and user credentials, potentially enabling a complete system compromise.

This vulnerability is a Local File Inclusion (LFI) flaw, categorized as an Improper Control of Filename for an Include/Require Statement in a PHP Program. The application uses user-supplied input to construct a file path that is then used in a PHP include or require statement without proper validation or sanitization. An attacker can exploit this by crafting a malicious request, typically manipulating a URL parameter, to include directory traversal sequences (e.g., ../) and specify the path to an arbitrary file on the server. This forces the application to read and potentially display the contents of sensitive files, such as wp-config.php (containing database credentials) or system files like /etc/passwd.

This is a High severity vulnerability with a CVSS score of 7.5. Exploitation of this flaw can have significant business consequences, including a serious data breach. An attacker could gain access to sensitive information, such as database credentials, application source code, and local system user data. This could lead to reputational damage, loss of customer trust, and potential regulatory fines. If an attacker can read the wp-config.php file, they can gain control of the website's database, and if they chain this vulnerability with another (such as a file upload), they could achieve full remote code execution and compromise the entire server.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected installations. After patching, it is critical to monitor for any signs of exploitation attempts by reviewing web server access logs and application logs for suspicious activity that may have occurred prior to the patch.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f, ..\) or absolute file paths targeting sensitive files. Monitor PHP error logs for "failed to open stream" or "include()" errors, which could indicate failed exploitation attempts. Network traffic should be monitored for any unusual outbound connections from the web server, which could signal a successful compromise.

Compensating Controls: If patching cannot be performed immediately, the following controls can help mitigate risk:

• Web Application Firewall (WAF): Implement a WAF with a robust ruleset to detect and block LFI and directory traversal attack patterns.
• Harden PHP Configuration: Ensure that allow_url_include is disabled in the php.ini configuration file to prevent the vulnerability from being escalated to Remote File Inclusion.
• File System Permissions: Apply the principle of least privilege. Ensure the web server's user account has restrictive read/write permissions and cannot access files or directories outside of the web root.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential to cause a significant data breach, we strongly recommend that organizations prioritize applying the vendor-supplied security updates immediately. While this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, the risk of sensitive data exposure and potential for full system compromise is substantial. If patching is delayed, implement the suggested compensating controls, particularly a Web Application Firewall, and enhance monitoring to detect and respond to any exploitation attempts.