CVE-2025-5804

| EUVD-2025-209401 HIGH
2026-04-10 Patchstack
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 10, 2026 - 13:45 vuln.today
EUVD ID Assigned
Apr 10, 2026 - 13:45 euvd
EUVD-2025-209401
CVE Published
Apr 10, 2026 - 13:19 nvd
HIGH 7.5

Tags

PHP Information Disclosure Lfi

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.

Analysis

Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.

Technical Context

CWE-98 PHP file inclusion flaw stems from improper sanitization of file paths in require/include statements. The CVSS vector indicates network-accessible attack surface (AV:N) requiring user interaction (UI:R) and high complexity (AC:H), suggesting exploitation depends on specific conditions like user-triggered actions or race conditions. CPE identifies Case Themes Case Theme User WordPress plugin as affected component.

Affected Products

Case Themes Case Theme User WordPress plugin, vendor Case Themes, versions prior to 1.0.4. CPE: cpe:2.3:a:case_themes:case_theme_user:*:*:*:*:*:*:*:* (all versions before 1.0.4 vulnerable).

Remediation

Vendor-released patch: upgrade Case Theme User plugin to version 1.0.4 or later, which remediates the PHP file inclusion vulnerability. Administrators should update immediately through WordPress plugin management interface or manual installation. If immediate patching is not feasible, deactivate and remove Case Theme User plugin until upgrade is completed. Implement web application firewall rules to block directory traversal patterns (../, %2e%2e/) and null byte injection attempts targeting plugin endpoints. Review server logs for suspicious file access patterns indicating exploitation attempts. Full technical details available at Patchstack advisory: https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-5804 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy