Plataforma
wordpress
Componente
case-theme-user
Corrigido em
1.0.5
Uma vulnerabilidade de Inclusão de Arquivo Local (LFI) foi descoberta no componente Case Theme User. Essa falha ocorre devido ao controle inadequado do nome do arquivo em declarações de include/require, permitindo que um invasor inclua arquivos arbitrários no sistema. A vulnerabilidade afeta o Case Theme User nas versões de 1.0.0 a 1.0.4. A correção para essa vulnerabilidade está disponível na versão 1.0.4.
The primary impact of this LFI vulnerability is the potential for remote code execution (RCE). By crafting malicious file inclusion requests, an attacker can include sensitive system files, configuration files, or even PHP scripts. Successful exploitation could allow an attacker to read sensitive data, modify application behavior, or gain complete control over the affected server. The attacker could potentially escalate privileges and move laterally within the network if the server has access to other resources. This vulnerability shares similarities with other LFI exploits where attackers leverage the ability to include arbitrary files to compromise the system.
CVE-2025-5804 was published on 2026-04-10. The vulnerability's severity is rated as HIGH with a CVSS score of 7.5. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The EPSS score is pending evaluation. There are no indications of active exploitation campaigns targeting this vulnerability at this time. Refer to the NVD (National Vulnerability Database) for updates and further information.
Status do Exploit
EPSS
0.07% (percentil 22%)
CISA SSVC
The recommended mitigation for CVE-2025-5804 is to immediately upgrade Case Theme User to version 1.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file access permissions, implementing input validation to sanitize file paths, and configuring a Web Application Firewall (WAF) to block suspicious file inclusion attempts. Specifically, WAF rules should be configured to detect and block requests containing potentially malicious file paths. Monitor system logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a file inclusion request with a known malicious path; the request should be blocked or result in an error.
Actualice el plugin Case Theme User a una versión corregida (superior a 1.0.4) para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique la fuente del plugin en wordpress.org para obtener la última versión. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
É uma vulnerabilidade de Inclusão de Arquivo Local (LFI) no Case Theme User, permitindo a inclusão de arquivos PHP locais.
Se você estiver usando o Case Theme User nas versões de 1.0.0 a 1.0.4, você está potencialmente afetado.
Atualize o Case Theme User para a versão 1.0.4 ou superior para corrigir essa vulnerabilidade.
Vetor CVSS
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.