{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-58913", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-09-06T04:44:19.609Z", "datePublished": "2026-04-10T13:21:05.820Z", "dateUpdated": "2026-04-28T16:13:49.305Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "videopro", "product": "VideoPro", "vendor": "CactusThemes", "versions": [{"lessThanOrEqual": "2.3.8.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:19.631Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.<p>This issue affects VideoPro: from n/a through <= 2.3.8.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:49.305Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress VideoPro theme <= 2.3.8.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:05:15.343092Z", "id": "CVE-2025-58913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:05:51.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-58913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T18:05:15.343092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:05:48.551Z"}}], "cna": {"title": "WordPress VideoPro theme <= 2.3.8.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CactusThemes", "product": "VideoPro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.8.1"}], "packageName": "videopro", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:19.631Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.<p>This issue affects VideoPro: from n/a through <= 2.3.8.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:49.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-58913", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:13:49.305Z", "dateReserved": "2025-09-06T04:44:19.609Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-10T13:21:05.820Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1."}], "id": "CVE-2025-58913", "lastModified": "2026-04-24T18:00:32.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-10T14:16:25.127", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.8.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VideoPro", "source": "cna", "vendor": "CactusThemes"}, "product": "videopro", "vendor": "cactusthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T21:38:26.848297+00:00", "value": {"mitigation_remediation": ["Update the VideoPro theme to the latest version that includes the fix for the LFI vulnerability.", "If an update cannot be applied immediately, disable or remove the VideoPro theme from the site until a patch is applied.", "Implement WordPress hardening practices, including restricting file read permissions and validating all input that influences include/require statements.", "Monitor server logs for suspicious file inclusion or access attempts to detect exploitation attempts in progress."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running CactusThemes VideoPro version 2.3.8.1 or earlier is affected. The flaw applies from the earliest available release through 2.3.8.1.", "description_and_impact": "This vulnerability arises from Improper Control of Filename for Include/Require Statement in PHP, allowing an attacker to arbitrarily include local files via the VideoPro WordPress theme. By supplying a crafted path to the theme\u2019s include/require logic, an adversary can read any readable file on the server, such as configuration files or credentials. The flaw is identified as CWE\u201198: Improper Control of File Name for Include/Require Statement.", "risk_and_exploitability": "The CVSS base score of 8.1 signals a high severity issue. The EPSS score is 0.0005 (< 1%), and the vulnerability is not listed in the CISA KEV catalog, indicating no known public exploits at this time. The likely attack vector is remote, via a crafted URL or form input that targets the theme\u2019s include logic. Successful exploitation would allow reading arbitrary files on the server, leading to significant information disclosure and possibly facilitating further compromise."}}}}, "created": "2026-04-13T12:44:53.886677+00:00", "updated": "2026-04-28T21:45:26.143445+00:00", "vendors": ["cactusthemes", "cactusthemes$PRODUCT$videopro", "wordpress", "wordpress$PRODUCT$wordpress"]}