Description
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-09-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Patch Immediately
AI Analysis

Impact

The Catch Dark Mode WordPress plugin contains a Local File Inclusion vulnerability that allows authenticated users with Contributor-level access to include and execute arbitrary .php files on the server. This flaw is triggered via the catch_dark_mode shortcode and permits the execution of any PHP code contained in the chosen file, enabling attackers to bypass access controls, retrieve sensitive data, or run arbitrary code on the host. The likely attack vector involves supplying a malicious file path via the shortcode, a detail that is inferred from the description.

Affected Systems

The vulnerability affects the Catch Dark Mode plugin from Catch Themes. All releases up to and including version 2.0 are impacted. Users of older versions must update to a later release to eliminate the flaw.

Risk and Exploitability

The likely attack vector involves supplying a malicious file path through the catch_dark_mode shortcode, which is inferred from the description. The CVSS score of 7.5 indicates a high severity local vulnerability. The EPSS score of less than 1% reflects a low likelihood of exploitation at present, and the issue is not listed in the CISA KEV catalog. Attackers require authenticated Contributor or higher privileges and must supply a malicious path via the catch_dark_mode shortcode, often by first uploading a .php file or referencing an existing one on the server.

Generated by OpenCVE AI on April 22, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Catch Dark Mode plugin to any release newer than 2.0.
  • If an update is not immediately possible, temporarily remove or disable the catch_dark_mode shortcode—for example, by deleting its usage from posts and pages or commenting out its function in plugin.php—to stop the inclusion of arbitrary files.
  • Revoke Contributor-level permissions on the site until the plugin is fully patched or the shortcode is disabled.

Generated by OpenCVE AI on April 22, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29676 The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
History

Wed, 17 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Catch Dark Mode <= 2.0 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:50.054Z

Reserved: 2025-09-08T20:51:23.453Z

Link: CVE-2025-10143

cve-icon Vulnrichment

Updated: 2025-09-17T13:11:50.685Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T02:15:32.947

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses