什麼是本地文件包含 (LFI)？

Local File Inclusion (LFI) is a web application vulnerability class where an attacker can cause a server-side script to include and evaluate files from the local filesystem. In PHP applications such as WordPress themes, this typically stems from unsafe use of include(), require(), or similar functions where a user-controllable parameter selects a file. Successful exploitation can reveal sensitive files (wp-config.php, .env, backups), disclose credentials, and in some configurations lead to code execution.

LFI differs from Remote File Inclusion (RFI) — modern PHP often disables remote includes, so LFI is a more common real-world risk. Local files frequently contain secrets and configuration, making LFI highly valuable to attackers.

The AC Services theme vulnerability: quick facts

• Affected product: “AC Services | HVAC, Air Conditioning & Heating Company” WordPress theme (theme family: Window / AC Services)
• Vulnerable versions: ≤ 1.2.5
• 漏洞類型：本地文件包含 (LFI)
• CVE: CVE-2026-27326
• Reported by: independent researcher (public disclosure date 2026-03-04)
• Privilege required: None — unauthenticated
• Impact: Disclosure of local files (including wp-config.php), potential database credential leakage, possible site takeover depending on server configuration and writable upload directories
• Patch status: Treat active sites as at risk until the vendor publishes a confirmed fix and you apply it.

Why this vulnerability is dangerous for WordPress sites

Key attributes that make this LFI severe:

1. Unauthenticated exploitation — attackers can probe and exploit without an account.
2. Sensitive local files — WordPress installations commonly contain wp-config.php, logs, backups and other files that hold credentials and secrets.
3. Automated mass-scanning — attackers deploy bots to discover and exploit vulnerable themes quickly after disclosure.
4. Pivot to full compromise — exposed DB credentials can lead to content manipulation, admin creation, or persistent backdoors.
5. Supply-chain risk — purchased themes deployed across many client sites can result in broad exposure.

Given these factors, implement layered mitigations immediately: block exploitation attempts, detect past exploitation, and patch the root cause.

How attackers can (and often will) abuse an LFI

Attackers commonly follow this playbook:

1. Fingerprinting — identify sites using the vulnerable theme and version.
2. Probing — send crafted requests to known vulnerable endpoints, often with directory traversal sequences (../ or encoded equivalents).
3. Data extraction — retrieve wp-config.php and other files containing credentials or salts.
4. Credential use or escalation — use exposed DB credentials to alter data, create admin users, or achieve further access.
5. Persistence and cleanup — install backdoors/webshells and remove logs to hide traces.

Blocking LFI attempts early is an effective way to reduce risk and stop many automated attacks.

受損指標（IoCs）和檢測指導

Look for these signs in logs and on the filesystem — common IoCs for LFI exploitation attempts:

• HTTP requests to theme endpoints with query parameters containing traversal payloads (“../” or “..%2F”).
• 參數中包含的請求，例如 檔案=, 頁面=, 模板=, 包含=, 包含=, 路徑=, 檢視=, etc., especially if they map to theme code.
• Repeated 200 responses for requests that should return 404/403.
• Evidence of web access to wp-config.php, .env, or backup files.
• New or modified PHP files in uploads, wp-content, or theme directories (possible webshells).
• Unexpected database changes (new admin users, altered posts with malware).
• Elevated error logs revealing file contents or stack traces.
• 網頁伺服器意外的外發連接。.

Detection actions you can take now:

• Review web server access logs for requests containing ../ or attempts to fetch sensitive filenames.
• Scan the filesystem for recently modified files and unexpected PHP files in uploads.
• Search the database for unfamiliar users and suspicious post content.
• Use your server or hosting provider logs to check for blocked or suspicious requests.

Immediate mitigations you can apply now (no theme update required)

If you run the affected theme and cannot immediately update it, apply these pragmatic steps:

1. Block LFI patterns at the edge (virtual patching)
   Implement server or firewall rules that block directory traversal (../ and encoded forms), null bytes, and wrapper schemes (php://, 數據：, file:). Restrict access to theme include endpoints to trusted origins where possible.
2. 限制對敏感檔案的直接訪問
   Add webserver rules to deny requests for 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .env, .git and other known sensitive names.
3. Lock down theme files
   Temporarily remove or rename suspect entry-point files in the theme that call include() with untrusted input. If a vulnerable file is not required for public functionality, move it out of the web root.
4. Harden file permissions and PHP execution
   Ensure uploads directories do not execute PHP. Apply least-privilege permissions (files 644, directories 755) and verify the web server user cannot write to core theme or plugin directories.
5. Rotate keys and credentials if you find evidence of disclosure
   If wp-config.php or other secrets were accessed, rotate database credentials and any exposed API keys immediately, and update configuration accordingly.
6. Monitor and isolate suspicious hosts
   Block attacker IPs while you investigate. If a persistent backdoor or shell exists, consider isolating the host to prevent further damage.
7. Back up before remediation
   Create full filesystem and database backups to preserve evidence and provide recovery points.

Apply these controls urgently — they reduce immediate risk and provide time to perform full remediation.

Secure code fixes and developer guidance

If you maintain the theme or work with a developer, fix the root cause by eliminating use of unvalidated, user-controlled input for include/require operations. The strongest control is whitelisting.

Recommended safe patterns

1. Use a whitelist of allowed templates or files. Map logical names to actual files:

// Allowed templates mapping
$allowed = [
    'contact' => 'templates/contact.php',
    'services' => 'templates/services.php',
    'about' => 'templates/about.php'
];

$p = isset($_GET['page']) ? $_GET['page'] : 'home';

if ( array_key_exists( $p, $allowed ) ) {
    include get_template_directory() . '/' . $allowed[$p];
} else {
    include get_template_directory() . '/templates/home.php';
}

2. Never pass raw input to include/require. Whitelisting is the strongest control; basename()/realpath() are only partial mitigations.

3. If translation of input to a path is unavoidable, canonicalise and ensure the file is inside a safe base directory:

$base = realpath( get_template_directory() . '/templates' );
$target = realpath( $base . '/' . basename( $p ) . '.php' );

if ( $target && strpos( $target, $base ) === 0 ) {
    include $target;
} else {
    include $base . '/home.php';
}

4. Avoid dynamic code evaluation (eval(), create_function, etc.) and treat file contents as data, not executable code.

5. Ensure the web server process has least-privilege for file operations and cannot arbitrarily modify theme code.

For theme updates, include secure unit tests and code review focused on include() usage. Automated static analysis can help detect risky calls.

Full remediation checklist (prioritised)

Follow these steps in order of urgency:

立即（幾小時內）

• Apply edge/server rules to block LFI patterns and requests targeting known vulnerable endpoints.
• Deny direct access to sensitive files via nginx/apache rules.
• Create full backups (filesystem + DB) before changes.

短期（24–72 小時）

• If a vendor patch is available, update the theme across all sites (test on staging first).
• If no patch exists, disable or replace the vulnerable theme on production; switch to a default or known-good theme while you remediate.
• Rotate database and API credentials if compromise is suspected.

Mid term (1–2 weeks)

• Replace modified or malicious files with clean copies from verified sources or backups.
• Audit for malicious users, scheduled tasks, and unexpected outbound connections.
• 執行全面的惡意軟件掃描和文件完整性檢查。.

長期（持續進行）

• 強化檔案權限並禁用上傳中的 PHP 執行。.
• Implement logging and monitoring for anomalies; keep systems patched.
• Use staging for updates and maintain an incident response plan.

Hardening recommendations for WordPress hosts and site owners

• Maintain and test full site backups and restoration procedures.
• Apply least-privilege to file system and database accounts.
• Enforce strong secrets and rotate them periodically (DB passwords, salts, API keys).
• Disable file editing via the admin interface: define('DISALLOW_FILE_EDIT', true);
• Run periodic vulnerability scans and file integrity checks.
• Configure the webserver to deny access to .git, .env and backup files.
• Restrict unnecessary outbound server connections where feasible.
• Enable two-factor authentication for admin accounts and monitor login attempts.

Incident response: what to do if you suspect your site was compromised

1. 隔離
   Put the site into maintenance/offline mode if possible. Block suspect IPs and isolate the host if there is active data exfiltration or a persistent shell.
2. 保留證據
   Take forensic snapshots of filesystem and database before modifying anything. Preserve server logs (web, PHP, syslog).
3. 根除
   Remove malicious files or restore from a verified clean backup. Rotate credentials and invalidate sessions. Remove suspicious admin users and scheduled tasks.
4. 恢復
   Restore services from clean sources, harden the site, and monitor closely for recurrence.
5. 審查並學習
   Conduct root cause analysis and improve defenses to reduce the chance of recurrence.

If the breach is complex or you lack internal capability, engage a qualified incident response specialist experienced with WordPress forensic investigations.

Getting professional help and services

If you need assistance implementing mitigations, performing forensic analysis, or restoring sites across multiple clients, seek a trusted security consultant or incident response provider. Ask potential providers for:

• Proven experience with WordPress incident response and forensic timelines.
• References and prior engagement summaries (redacted as necessary).
• Clear scope of work, deliverables, and timelines for containment, eradication and recovery.
• Secure handling of credentials and evidence preservation practices.

Safe testing guidance and notes for security teams

• Only test systems you own or have explicit permission to test.
• Do not include sensitive files in tests — use benign files to confirm inclusion behaviour.
• Prefer passive log analysis before active exploitation testing.
• If active testing is required, use an isolated staging environment and preserve logs for analysis.
• Follow responsible disclosure if you discover additional issues.

Public exploit code and mass-scanners appear quickly after disclosure; apply mitigations promptly.

Appendix — Example server rules (high level, test before use)

High-level examples you can adapt to your environment:

• Block direct access to 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。 (Nginx snippet): location ~* wp-config.php { deny all; }
• Deny requests containing traversal sequences: reject requests with ../ or encoded variants where your server supports request matching.
• Block suspicious wrapper schemes: deny requests containing php://, 數據：, expect：, 等等。.

These rules are intentionally generic — adapt and test carefully in staging before deploying to production.