CVE Alert: CVE-2025-10143 – catchthemes – Catch Dark Mode
CVE-2025-10143
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the ‘catch_dark_mode’ shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
AI Summary Analysis
Risk verdict
High risk: authenticated attackers with Contributor+ access can trigger local file inclusion to execute arbitrary PHP, potentially compromising the site.
Why this matters
Successful exploitation grants code execution, which can exfiltrate data, bypass access controls, or deface/defend the integrity of the site. With WordPress sites commonly exposed to public traffic and plugins often enabling rapid feature deployment, a single vulnerable install can cascade into wider impact across hosted environments or multiple sites using the same plugin.
Most likely attack path
Preconditions: vulnerable Catch Dark Mode <=2.0 installed; attacker must be authenticated as Contributor+ (per advisory). Exploitation leverages the catch_dark_mode shortcode to include arbitrary PHP files, enabling code execution. This aligns with a local file inclusion vector that can escalate access to server resources, though CVSS metrics indicate remote vector and low-privilege prerequisites while the advisory emphasises authentication, creating some uncertainty about exploit surface. In practice, once code can be executed, lateral movement depends on file access and web server permissions.
Who is most exposed
Sites running Catch Dark Mode on WordPress, especially small/medium deployments and managed hosting environments where plugin updates are delayed or missed, are most at risk.
Detection ideas
- Logs show requests invoking catch_dark_mode shortcode or plugin.php with suspicious parameters.
- Creation or execution of newly uploaded PHP files in web-accessible folders.
- Unusual PHP errors or includes showing local file paths in server errors.
- Anomalous file reads/writes or code execution attempts tied to WordPress uploads/shortcodes.
Mitigation and prioritisation
- Patch to latest Catch Dark Mode version (or disable plugin until patched); verify no other extensions rely on it.
- Enforce least privilege: restrict Contributor+ capabilities and review role assignments; remove unnecessary access.
- Deploy WAF rules to detect and block LFI patterns tied to shortcode endpoints; monitor for shortcode exploitation attempts.
- Change-management: test patch in staging, confirm no breakage in site functionality, plan rapid rollout to production.
- If KEV or EPSS indicate active exploitation, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
