A high-severity vulnerability has been identified in the G5Theme Handmade Framework, which is used across multiple G5Theme products. This flaw allows an unauthenticated attacker to read sensitive files from the underlying server by manipulating file inclusion functions. Successful exploitation could lead to the exposure of confidential data, system credentials, and potentially a full compromise of the affected web server.

This vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An attacker can exploit this by supplying a specially crafted input, typically through a URL parameter, that contains directory traversal sequences (e.g., ../../). The application fails to properly sanitize this input, causing it to include a file from an unintended location on the server's file system. This allows the attacker to read the contents of sensitive files such as configuration files containing database credentials (wp-config.php), system user files (/etc/passwd), or application source code. If the attacker can also upload a file to the server, this LFI vulnerability could be escalated to achieve Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can have significant business consequences, including a direct breach of sensitive data. The exposure of configuration files could lead to the compromise of databases and other connected systems. A successful RCE attack would grant the adversary full control over the web server, enabling them to deface the website, install malware, steal customer data, or use the server to launch further attacks. Such an incident could result in severe reputational damage, regulatory fines, and financial loss.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor (G5Theme) immediately. This will patch the underlying code flaw and prevent exploitation. After patching, it is crucial to monitor web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal payloads (e.g., ../, ..%2f, %2e%2e%2f) in URL parameters. Implement alerts for unusual file access patterns or outbound connections from the web server. File Integrity Monitoring (FIM) can also help detect unauthorized changes to critical system or application files.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Web Application Firewall (WAF): Deploy a WAF with rulesets designed to detect and block LFI and directory traversal attack patterns.
• Harden PHP Configuration: Ensure the open_basedir directive is configured in php.ini to restrict PHP processes to only access files within specific, authorized directories.
• Least Privilege: Run the web server and PHP processes under a low-privilege user account with minimal read permissions on the file system.

Public Exploit Available: False

Given the high severity (CVSS 7.5) and the critical impact of a successful exploit, which includes sensitive data disclosure and potential server compromise, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. Although CVE-2026-22521 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its straightforward exploit path makes it an attractive target for attackers. All systems running the G5Theme Handmade Framework should be identified and updated without delay to mitigate this significant risk.