Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.This issue affects Catch Dark Mode: from n/a through <= 2.0.1.
Published: 2025-04-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in a PHP include/require statement, enabling an attacker to include arbitrary local files. This local file inclusion can lead to disclosure of sensitive data, execution of malicious code on the server, and potential compromise of the entire WordPress site. The weakness corresponds to CWE-98.

Affected Systems

Affected systems include any WordPress installation running the Catch Dark Mode plugin from any version up to and including 2.0.1. The plugin is developed by Catch Themes. Users of versions n/a through <= 2.0.1 are susceptible if the plugin is active on a live site.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be a local file inclusion request that could be triggered via a crafted URL or form input, allowing a remote attacker to specify a file path and read server files or execute code if the server environment permits.

Generated by OpenCVE AI on May 1, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Catch Dark Mode plugin to version 2.0.2 or later.
  • Remove or disable the plugin if it is not required, or replace it with a secure alternative.
  • Ensure that the WordPress installation and its plugins are kept up to date and that file system permissions limit the ability to read or execute sensitive files.

Generated by OpenCVE AI on May 1, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9853 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode allows PHP Local File Inclusion. This issue affects Catch Dark Mode: from n/a through 1.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode allows PHP Local File Inclusion. This issue affects Catch Dark Mode: from n/a through 1.2.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode catch-dark-mode allows PHP Local File Inclusion.This issue affects Catch Dark Mode: from n/a through <= 2.0.1.
Title WordPress Catch Dark Mode plugin <= 1.2.1 - Local File Inclusion vulnerability WordPress Catch Dark Mode plugin <= 2.0.1 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 12 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Catchthemes
Catchthemes catch Dark Mode
CPEs cpe:2.3:a:catchthemes:catch_dark_mode:*:*:*:*:*:wordpress:*:*
Vendors & Products Catchthemes
Catchthemes catch Dark Mode

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode allows PHP Local File Inclusion. This issue affects Catch Dark Mode: from n/a through 1.2.1.
Title WordPress Catch Dark Mode plugin <= 1.2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Catchthemes Catch Dark Mode
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.647Z

Reserved: 2025-04-04T10:00:58.028Z

Link: CVE-2025-32154

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:24.472Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:23.833

Modified: 2026-04-23T15:28:39.530

Link: CVE-2025-32154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:45:05Z

Weaknesses