A high-severity vulnerability has been identified in the Elated-Themes Laurent Core component, affecting multiple products. This flaw, a Local File Inclusion, allows an unauthenticated attacker to trick the web server into reading and executing arbitrary files on the system, potentially leading to sensitive information disclosure, website defacement, or a complete server compromise.

This vulnerability is a Local File Inclusion (LFI) flaw resulting from an "Improper Control of Filename for Include/Require Statement in PHP Program." The affected component, laurent-core, fails to properly sanitize user-supplied input before using it in a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a special request containing directory traversal sequences (../) to force the application to include and execute a file from an arbitrary location on the server's filesystem. Successful exploitation could allow an attacker to read sensitive files (e.g., wp-config.php, /etc/passwd) or, if combined with a file upload capability, achieve Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have a significant negative impact on the business. An attacker could gain unauthorized access to sensitive data, including customer information, database credentials, and application source code, leading to a major data breach. The ability to execute code on the server could also lead to website defacement, installation of malware or ransomware, or the server being used to launch further attacks against other internal systems. These outcomes pose severe risks of reputational damage, financial loss, and potential regulatory penalties.

Immediate Action: Apply the security updates provided by the vendor immediately. This is the most effective method to permanently resolve the vulnerability. After patching, monitor systems for any signs of exploitation that may have occurred prior to the update by reviewing access logs for suspicious requests.

Proactive Monitoring:

• Web Server Logs: Monitor web server access logs (e.g., Apache, Nginx) for requests containing directory traversal patterns such as ../, ..%2f, or ..%5c. Look for attempts to include common system files like /etc/passwd, /proc/self/environ, or application configuration files.
• File Integrity Monitoring (FIM): Use FIM to detect unauthorized changes or the creation of new files (e.g., web shells) within the web application's directories.
• System Processes: Monitor for unexpected processes being spawned by the web server user (e.g., www-data, apache), which could indicate a successful code execution exploit.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rulesets designed to detect and block LFI and directory traversal attack patterns.
• Harden PHP Configuration: Ensure allow_url_fopen and allow_url_include are set to Off in the php.ini configuration file to prevent the vulnerability from being escalated to Remote File Inclusion (RFI).
• File System Permissions: Enforce strict file system permissions to limit the web server process's ability to read files outside of its designated root directory.

Public Exploit Available: false

Given the High severity (CVSS 7.5) of this vulnerability and its potential to lead to a full system compromise, immediate action is required. Although CVE-2026-24608 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical nature warrants urgent attention. We strongly recommend that all organizations using the affected software prioritize the deployment of the vendor-supplied patch. Where patching is delayed, compensating controls, particularly a properly configured Web Application Firewall, must be implemented as a temporary mitigation.