Platform
wordpress
Component
case-theme-user
Opgelost in
1.0.5
CVE-2025-5804 beschrijft een Improper Control of Filename kwetsbaarheid in de Case Theme User component. Deze kwetsbaarheid maakt PHP Local File Inclusion mogelijk, waardoor een aanvaller potentieel gevoelige informatie kan inlezen. De kwetsbaarheid treft Case Theme User versies 1.0.0 tot en met 1.0.4. Een fix is beschikbaar in versie 1.0.4.
The primary impact of this LFI vulnerability is the potential for remote code execution (RCE). By crafting malicious file inclusion requests, an attacker can include sensitive system files, configuration files, or even PHP scripts. Successful exploitation could allow an attacker to read sensitive data, modify application behavior, or gain complete control over the affected server. The attacker could potentially escalate privileges and move laterally within the network if the server has access to other resources. This vulnerability shares similarities with other LFI exploits where attackers leverage the ability to include arbitrary files to compromise the system.
CVE-2025-5804 was published on 2026-04-10. The vulnerability's severity is rated as HIGH with a CVSS score of 7.5. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The EPSS score is pending evaluation. There are no indications of active exploitation campaigns targeting this vulnerability at this time. Refer to the NVD (National Vulnerability Database) for updates and further information.
Exploit Status
EPSS
0.07% (22% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2025-5804 is to immediately upgrade Case Theme User to version 1.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file access permissions, implementing input validation to sanitize file paths, and configuring a Web Application Firewall (WAF) to block suspicious file inclusion attempts. Specifically, WAF rules should be configured to detect and block requests containing potentially malicious file paths. Monitor system logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a file inclusion request with a known malicious path; the request should be blocked or result in an error.
Actualice el plugin Case Theme User a una versión corregida (superior a 1.0.4) para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique la fuente del plugin en wordpress.org para obtener la última versión. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a PHP Local File Inclusion (LFI) vulnerability in Case Themes Case Theme User, allowing attackers to include arbitrary files.
If you are using Case Theme User versions 0.0.0 through 1.0.4, you are potentially affected by this vulnerability.
Upgrade Case Theme User to version 1.0.4 or later to resolve the vulnerability. Implement temporary workarounds if immediate upgrade is not possible.
Currently, there are no publicly known exploits or active exploitation campaigns targeting this vulnerability.
Refer to the National Vulnerability Database (NVD) entry for CVE-2025-5804 for detailed information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.