WordPress Thegov Core plugin < 2.0.23 - Local File Inclusion vulnerability

Vulnerability

Thegov Core plugin for WordPress versions prior to 2.0.23 contains an unauthenticated Local File Inclusion (LFI) vulnerability. The flaw allows an attacker to include local files from the server without requiring authentication. Affected versions: all versions before 2.0.23. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the vulnerable endpoint. No authentication is required, and the attack can be performed remotely over HTTP. The attacker does not need any special privileges or user interaction. [1]

Impact

Successful exploitation allows an attacker to read arbitrary local files from the target server, including sensitive files such as database configuration files (e.g., wp-config.php). This could lead to full database compromise depending on the server configuration. The confidentiality of the system is severely impacted. [1]

Mitigation

The vulnerability is fixed in version 2.0.23 of Thegov Core plugin. Users should update to version 2.0.23 or later immediately. If unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. [1]