CVE-2025-58913
Received Received - Intake
PHP Local File Inclusion Vulnerability in CactusThemes VideoPro

Publication date: 2026-04-10

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58913
EUVD
EUVD-2025-209403
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cactusthemes videopro From 2.3.0 (inc) to 2.3.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58913 is a Local File Inclusion (LFI) vulnerability found in the WordPress VideoPro Theme versions up to and including 2.3.8.1. It allows unauthenticated attackers to manipulate the theme to include and display local files from the target website.

This happens due to improper control of filenames used in include or require statements in PHP, which can be exploited to access sensitive files on the server.

Impact Analysis

Exploitation of this vulnerability can expose sensitive information such as database credentials by allowing attackers to include local files from the server.

Depending on the website's configuration, attackers could potentially take over the entire database, leading to severe data breaches and loss of control over the site.

Because the vulnerability is unauthenticated and has a high severity score (8.1), it poses a significant risk and is likely to be targeted in mass exploitation campaigns.

Mitigation Strategies

To mitigate the CVE-2025-58913 Local File Inclusion vulnerability in the WordPress VideoPro Theme, users should apply the mitigation rule issued by Patchstack that can block attacks exploiting this vulnerability until an official patch is released.

Users are strongly advised to update the VideoPro theme to a patched version once it becomes available.

If an immediate update is not possible, seek assistance from your hosting provider or web developer to implement the recommended mitigations.

Compliance Impact

The Local File Inclusion (LFI) vulnerability in the VideoPro WordPress theme can lead to unauthorized access to sensitive information such as database credentials. This exposure increases the risk of data breaches, which can compromise personal and protected data.

Such data breaches and unauthorized access can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information. Failure to secure systems against this vulnerability could result in violations of these regulations due to potential data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart