How to fix CVE-2025-58913?

Within 24 hours: Identify all WordPress installations using CactusThemes VideoPro theme (versions ≤2.3.8.1) via plugin audit and take theme offline or disable it. Within 7 days: Implement Web Application Firewall (WAF) rules to block file inclusion attack patterns and monitor web logs for exploitation attempts. Within 30 days: Either upgrade to a patched version when CactusThemes releases it, or migrate to an alternative theme; conduct file integrity assessment of wp-config.php, .htaccess, and /wp-content/ directories for signs of compromise.

Is PHP affected by CVE-2025-58913?

CVE-2025-58913 affects CactusThemes VideoPro WordPress theme (up to v2.3.8.1) and allows unauthenticated attackers to read arbitrary server files through local file inclusion vulnerabilities.

CVE-2025-58913

EUVD-2025-209403 HIGH

2026-04-10 Patchstack

GHSA-rfxf-xpj4-mc2x

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 10, 2026 - 13:45 vuln.today

EUVD ID Assigned

Apr 10, 2026 - 13:45 euvd

EUVD-2025-209403

CVE Published

Apr 10, 2026 - 13:21 nvd

HIGH 8.1

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1.

Analysis

Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical Context

PHP remote file inclusion vulnerability (CWE-98) stemming from insufficient validation of user-supplied input passed to include/require statements. Despite CVE classification as RFI, tags and CVSS context indicate LFI behavior, enabling arbitrary file reads through path traversal. Attack vector network-based, complexity high (AC:H), suggesting conditional exploitation dependent on configuration or race conditions.

Affected Products

CactusThemes VideoPro WordPress theme, versions through 2.3.8.1 (cpe:2.3:a:cactusthemes:videopro:*:*:*:*:*:*:*:*). All installations prior to and including version 2.3.8.1 vulnerable.

Remediation

No vendor-released patch identified at time of analysis. Immediately deactivate VideoPro theme and migrate to actively maintained alternative. Contact CactusThemes for patched version availability. Implement web application firewall rules to block path traversal attempts targeting theme directories. Restrict PHP file access permissions to minimum required. Monitor server logs for suspicious file inclusion patterns in theme-related requests. Advisory details: https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability. Do not re-enable theme until confirmed patched version released and applied.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +40

POC: 0

CVE-2025-58913 vulnerability details – vuln.today

Back

CVE-2025-58913

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-58913

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code