CVE-2025-10143
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-09-17

Assigner: Wordfence

Description
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-09-17
Generated
2026-05-07
AI Q&A
2025-09-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10143
EUVD
EUVD-2025-29676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
catch_themes catch_dark_mode 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the Catch Dark Mode WordPress plugin is a Local File Inclusion (LFI) issue. It allows authenticated users with Contributor-level access or higher to exploit the 'catch_dark_mode' shortcode to include and execute arbitrary PHP files on the server. This happens because the plugin originally loaded template files based on a user-supplied 'style' parameter without sufficient validation, enabling attackers to execute any PHP code in included files. The vulnerability was fixed by introducing a whitelist of allowed styles, sanitizing inputs, and verifying file paths to prevent inclusion of unauthorized files. [1, 2]


How can this vulnerability impact me? :

This vulnerability can allow attackers with Contributor-level access or above to execute arbitrary PHP code on the server by including malicious files. This can lead to bypassing access controls, obtaining sensitive data, and full code execution on the server hosting the WordPress site. Such impacts can compromise the integrity, confidentiality, and availability of the website and its data. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

To detect this vulnerability, check if your WordPress site is running the Catch Dark Mode plugin version 2.0 or earlier. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring HTTP requests for usage of the 'catch_dark_mode' shortcode with unusual or unexpected 'style' parameters may indicate exploitation attempts. There are no specific commands provided in the resources for detection. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Catch Dark Mode plugin to version 2.0.1 or later, where the Local File Inclusion vulnerability has been fixed by implementing strict input validation and path sanitization. If updating is not immediately possible, restrict Contributor-level and higher user permissions carefully and monitor for suspicious activity involving the 'catch_dark_mode' shortcode. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart