CVE-2025-58902
AncoraThemes · Lighthouse
An unauthenticated local file inclusion (LFI) vulnerability exists in AncoraThemes Lighthouse versions 1 and below, allowing for potential sensitive file disclosure.
Executive summary
AncoraThemes Lighthouse is susceptible to an unauthenticated local file inclusion vulnerability, enabling attackers to read sensitive files from the underlying server.
Vulnerability
This is a Local File Inclusion (LFI) vulnerability that permits an unauthenticated attacker to manipulate file path parameters. This allows the attacker to access sensitive configuration files or system data stored on the web server.
Business impact
Successful exploitation allows attackers to gain unauthorized access to configuration files, which may contain database credentials, API keys, or sensitive system information. Given the CVSS score of 8.1, the risk of full site compromise and subsequent data breaches is significant, necessitating rapid mitigation to prevent reputational and operational damage.
Remediation
Immediate Action: Upgrade to the latest version of the Lighthouse theme or plugin as soon as a security update is released by AncoraThemes.
Proactive Monitoring: Monitor web server logs for suspicious requests containing directory traversal sequences (e.g., ../) or attempts to access common system files like /etc/passwd.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block directory traversal attempts and malformed URI requests targeting sensitive file paths.
Exploitation status
Public Exploit Available: false
Analyst recommendation
LFI vulnerabilities are a high-risk vector for server compromise and should be prioritized for remediation. Site administrators should monitor the vendor's release channels and apply the necessary updates immediately to secure their application against unauthorized file access.