What is the CVSS score of CVE-2025-5804?

CVE-2025-5804 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-5804?

The Case Themes Case Theme User WordPress plugin versions before 1.0.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read sensitive files and potentially…. A patch is available.

How to fix or mitigate CVE-2025-5804?

Within 24 hours: Identify all WordPress sites using Case Themes Case Theme User plugin via your WordPress management dashboard or plugin inventory tool and document current versions. Within 7 days: Update the plugin to version 1.0.4 or later across all affected WordPress installations. Verify updates completed successfully and review web server logs for suspicious file inclusion patterns (requests containing ../ or /etc/passwd indicators). Within 30 days: Conduct a security audit of affected WordPress sites to identify any unauthorized file access or code execution artifacts; review and rotate all database credentials and API keys stored in wp-config.php and similar configuration files.

PHP CVE-2025-5804

EUVD-2025-209401 HIGH

PHP Remote File Inclusion (CWE-98)

2026-04-10 Patchstack

PHP Information Disclosure LFI

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:58 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.0.4

EUVD ID Assigned

Apr 10, 2026 - 13:45 euvd

EUVD-2025-209401

Analysis Generated

Apr 10, 2026 - 13:45 vuln.today

CVE Published

Apr 10, 2026 - 13:19 nvd

HIGH 7.5

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.

AnalysisAI

Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.

Technical ContextAI

CWE-98 PHP file inclusion flaw stems from improper sanitization of file paths in require/include statements. The CVSS vector indicates network-accessible attack surface (AV:N) requiring user interaction (UI:R) and high complexity (AC:H), suggesting exploitation depends on specific conditions like user-triggered actions or race conditions. CPE identifies Case Themes Case Theme User WordPress plugin as affected component.

RemediationAI

Vendor-released patch: upgrade Case Theme User plugin to version 1.0.4 or later, which remediates the PHP file inclusion vulnerability. Administrators should update immediately through WordPress plugin management interface or manual installation. If immediate patching is not feasible, deactivate and remove Case Theme User plugin until upgrade is completed. Implement web application firewall rules to block directory traversal patterns (../, %2e%2e/) and null byte injection attempts targeting plugin endpoints. Review server logs for suspicious file access patterns indicating exploitation attempts. Full technical details available at Patchstack advisory: https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-5804 vulnerability details – vuln.today

Back

PHP CVE-2025-5804

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code