{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10143", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-08T20:51:23.453Z", "datePublished": "2025-09-17T01:49:15.450Z", "dateUpdated": "2026-04-08T16:49:50.054Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:50.054Z"}, "affected": [{"vendor": "catchthemes", "product": "Catch Dark Mode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "title": "Catch Dark Mode <= 2.0 - Authenticated (Contributor+) Local File Inclusion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46776cd5-5262-46ea-b56c-0cbf2b9ae43d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/catch-dark-mode/trunk/plugin.php#L483"}, {"url": "https://wordpress.org/plugins/catch-dark-mode"}, {"url": "https://plugins.trac.wordpress.org/changeset/3359058/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-09-10T08:23:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T13:11:46.692375Z", "id": "CVE-2025-10143", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:11:53.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10143", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-17T13:11:46.692375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:11:50.685Z"}}], "cna": {"title": "Catch Dark Mode <= 2.0 - Authenticated (Contributor+) Local File Inclusion", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "catchthemes", "product": "Catch Dark Mode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T08:23:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46776cd5-5262-46ea-b56c-0cbf2b9ae43d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/catch-dark-mode/trunk/plugin.php#L483"}, {"url": "https://wordpress.org/plugins/catch-dark-mode"}, {"url": "https://plugins.trac.wordpress.org/changeset/3359058/"}], "descriptions": [{"lang": "en", "value": "The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:50.054Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10143", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:50.054Z", "dateReserved": "2025-09-08T20:51:23.453Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T01:49:15.450Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "id": "CVE-2025-10143", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T02:15:32.947", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/catch-dark-mode/trunk/plugin.php#L483"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3359058/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/catch-dark-mode"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46776cd5-5262-46ea-b56c-0cbf2b9ae43d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:54:23.369592+00:00", "value": {"mitigation_remediation": ["Update the Catch Dark Mode plugin to any release newer than 2.0.", "If an update is not immediately possible, temporarily remove or disable the catch_dark_mode shortcode\u2014for example, by deleting its usage from posts and pages or commenting out its function in plugin.php\u2014to stop the inclusion of arbitrary files.", "Revoke Contributor-level permissions on the site until the plugin is fully patched or the shortcode is disabled."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Catch Dark Mode plugin from Catch Themes. All releases up to and including version 2.0 are impacted. Users of older versions must update to a later release to eliminate the flaw.", "description_and_impact": "The Catch Dark Mode WordPress plugin contains a Local File Inclusion vulnerability that allows authenticated users with Contributor-level access to include and execute arbitrary .php files on the server. This flaw is triggered via the catch_dark_mode shortcode and permits the execution of any PHP code contained in the chosen file, enabling attackers to bypass access controls, retrieve sensitive data, or run arbitrary code on the host. The likely attack vector involves supplying a malicious file path via the shortcode, a detail that is inferred from the description.", "risk_and_exploitability": "The likely attack vector involves supplying a malicious file path through the catch_dark_mode shortcode, which is inferred from the description. The CVSS score of 7.5 indicates a high severity local vulnerability. The EPSS score of less than 1% reflects a low likelihood of exploitation at present, and the issue is not listed in the CISA KEV catalog. Attackers require authenticated Contributor or higher privileges and must supply a malicious path via the catch_dark_mode shortcode, often by first uploading a .php file or referencing an existing one on the server."}}}}, "created": "2025-09-17T10:04:02.663113+00:00", "updated": "2026-04-22T17:00:12.326828+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}