CVE-2025-58913
PHP Local File Inclusion Vulnerability in CactusThemes VideoPro
Publication date: 2026-04-10
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cactusthemes | videopro | From 2.3.0 (inc) to 2.3.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Local File Inclusion (LFI) vulnerability in the VideoPro WordPress theme can lead to unauthorized access to sensitive information such as database credentials. This exposure increases the risk of data breaches, which can compromise personal and protected data.
Such data breaches and unauthorized access can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information. Failure to secure systems against this vulnerability could result in violations of these regulations due to potential data exposure.
Can you explain this vulnerability to me?
CVE-2025-58913 is a Local File Inclusion (LFI) vulnerability found in the WordPress VideoPro Theme versions up to and including 2.3.8.1. It allows unauthenticated attackers to manipulate the theme to include and display local files from the target website.
This happens due to improper control of filenames used in include or require statements in PHP, which can be exploited to access sensitive files on the server.
How can this vulnerability impact me? :
Exploitation of this vulnerability can expose sensitive information such as database credentials by allowing attackers to include local files from the server.
Depending on the website's configuration, attackers could potentially take over the entire database, leading to severe data breaches and loss of control over the site.
Because the vulnerability is unauthenticated and has a high severity score (8.1), it poses a significant risk and is likely to be targeted in mass exploitation campaigns.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-58913 Local File Inclusion vulnerability in the WordPress VideoPro Theme, users should apply the mitigation rule issued by Patchstack that can block attacks exploiting this vulnerability until an official patch is released.
Users are strongly advised to update the VideoPro theme to a patched version once it becomes available.
If an immediate update is not possible, seek assistance from your hosting provider or web developer to implement the recommended mitigations.