{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-32154", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-04-04T10:00:58.028Z", "datePublished": "2025-04-04T15:58:39.687Z", "dateUpdated": "2026-04-28T16:12:17.647Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "catch-dark-mode", "product": "Catch Dark Mode", "vendor": "Catch Themes", "versions": [{"changes": [{"at": "2.1", "status": "unaffected"}], "lessThanOrEqual": "2.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:38:21.635Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.<p>This issue affects Catch Dark Mode: from n/a through <= 2.0.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.This issue affects Catch Dark Mode: from n/a through <= 2.0.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:12:17.647Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/catch-dark-mode/vulnerability/wordpress-catch-dark-mode-plugin-1-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Catch Dark Mode plugin <= 2.0.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-04T19:53:22.621145Z", "id": "CVE-2025-32154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T20:16:53.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-04T19:53:22.621145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T19:53:24.472Z"}}], "cna": {"title": "WordPress Catch Dark Mode plugin <= 2.0.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Catch Themes", "product": "Catch Dark Mode", "versions": [{"status": "affected", "changes": [{"at": "2.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.1"}], "packageName": "catch-dark-mode", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:30:37.395Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/catch-dark-mode/vulnerability/wordpress-catch-dark-mode-plugin-1-2-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.This issue affects Catch Dark Mode: from n/a through <= 2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.<p>This issue affects Catch Dark Mode: from n/a through <= 2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:09:47.956Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32154", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:09:47.956Z", "dateReserved": "2025-04-04T10:00:58.028Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-04-04T15:58:39.687Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:catchthemes:catch_dark_mode:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C551BDF9-944C-4496-B54B-8C26EEE6D5D4", "versionEndExcluding": "2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.This issue affects Catch Dark Mode: from n/a through <= 2.0.1."}, {"lang": "es", "value": "Vulnerabilidad de control incorrecto del nombre de archivo para la instrucci\u00f3n Include/Require en programas PHP ('Inclusi\u00f3n remota de archivos en PHP') en Catch Themes Catch Dark Mode permite la inclusi\u00f3n local de archivos en PHP. Este problema afecta al modo Catch Dark desde n/d hasta la versi\u00f3n 1.2.1."}], "id": "CVE-2025-32154", "lastModified": "2026-04-23T15:28:39.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-04T16:15:23.833", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/Wordpress/Plugin/catch-dark-mode/vulnerability/wordpress-catch-dark-mode-plugin-1-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"created": "2026-05-01T00:45:05.192552+00:00", "updated": "2026-05-01T00:45:05.192562+00:00", "vendors": []}