What is the CVSS score of CVE-2025-58913?

CVE-2025-58913 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-58913?

CVE-2025-58913 affects CactusThemes VideoPro WordPress theme (up to v2.3.8.1) and allows unauthenticated attackers to read arbitrary server files through local file inclusion vulnerabilities.

How to fix or mitigate CVE-2025-58913?

Within 24 hours: Identify all WordPress installations using CactusThemes VideoPro theme (versions ≤2.3.8.1) via plugin audit and take theme offline or disable it. Within 7 days: Implement Web Application Firewall (WAF) rules to block file inclusion attack patterns and monitor web logs for exploitation attempts. Within 30 days: Either upgrade to a patched version when CactusThemes releases it, or migrate to an alternative theme; conduct file integrity assessment of wp-config.php, .htaccess, and /wp-content/ directories for signs of compromise.

PHP CVE-2025-58913

EUVD-2025-209403 HIGH

PHP Remote File Inclusion (CWE-98)

2026-04-10 Patchstack

GHSA-rfxf-xpj4-mc2x

PHP Information Disclosure LFI

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

EUVD ID Assigned

Apr 10, 2026 - 13:45 euvd

EUVD-2025-209403

Analysis Generated

Apr 10, 2026 - 13:45 vuln.today

CVE Published

Apr 10, 2026 - 13:21 nvd

HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1.

AnalysisAI

Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical ContextAI

PHP remote file inclusion vulnerability (CWE-98) stemming from insufficient validation of user-supplied input passed to include/require statements. Despite CVE classification as RFI, tags and CVSS context indicate LFI behavior, enabling arbitrary file reads through path traversal. Attack vector network-based, complexity high (AC:H), suggesting conditional exploitation dependent on configuration or race conditions.

RemediationAI

No vendor-released patch identified at time of analysis. Immediately deactivate VideoPro theme and migrate to actively maintained alternative. Contact CactusThemes for patched version availability. Implement web application firewall rules to block path traversal attempts targeting theme directories. Restrict PHP file access permissions to minimum required. Monitor server logs for suspicious file inclusion patterns in theme-related requests. Advisory details: https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability. Do not re-enable theme until confirmed patched version released and applied.

CVE-2025-58913 vulnerability details – vuln.today

Back

PHP CVE-2025-58913

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code