CVE-2025-32154:CVE-2025-32154 is a PHP Local File Inclusion vulnerability in the WordPress Catch Dark Mode plugin (Catch Themes) <= 1.2.1, caused by improper control of filenames used in include/require statements, potentially allowing an attacker to include local files on the server.

splash
Back

Description Preview

This vulnerability stems from improper control of filenames for PHP include/require statements, enabling PHP Local File Inclusion (LFI). The flaw affects Catch Dark Mode up to version 1.2.1 and is associated with CWE-98 (Improper Control of Filename for Include/Require Statement) and CAPEC-252 (PHP Local File Inclusion). The issue is exploitable over the network with no user interaction and requires only low privileges, with high impact to confidentiality, integrity, and availability. An attacker could disclose sensitive information or, in certain server configurations, leverage the inclusion to execute code via crafted inputs. Affected products are Catch Dark Mode versions ≤ 1.2.1 in the Catch Themes ecosystem.

Overview

This CVE documents a PHP Local File Inclusion weakness in the Catch Dark Mode WordPress plugin by Catch Themes, identified as CVE-2025-32154. The flaw arises from improper handling of filenames used in include/require statements, enabling an attacker to reference local server files. It affects Catch Dark Mode up to version 1.2.1 and carries a CVSS v3.1 base score of 7.5 (HIGH). The vulnerability is accessible over the network with no required user interaction and with low privileges, making it part of a high-severity exposure for affected WordPress sites.

Remediation

  • Upgrade: Update Catch Dark Mode to a version that includes the fix (beyond 1.2.1) or remove the plugin if no patched version is available.
  • If immediate upgrade isn’t possible: temporarily disable or remove the plugin to reduce risk.
  • Vendor guidance: Apply the vendor-provided patch or advisory once released; monitor Patchstack for updates.
  • Code and input hardening (if you maintain the plugin or its integration): Ensure include/require statements do not use user-controlled input; validate and sanitize any paths used for file inclusion; avoid dynamic file paths built from external input.
  • Environment hardening: Restrict file permissions and disable directory listing; implement a least-privilege WordPress hosting environment.
  • Defense in depth: Deploy a Web Application Firewall or security plugin with rules to detect or block LFI patterns; monitor server and application logs for suspicious include requests.
  • Verification: After remediation, test by attempting safe LFI validation checks in a staging environment and confirm that the vulnerability cannot be reproduced; perform a follow-up scan or code review to ensure mitigation persists.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background