Overview

This report details a significant vulnerability identified in the Catch Dark Mode plugin for WordPress. This vulnerability, labelled as CVE-2025-10143, potentially allows authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, leading to potential system compromise or data leakage. This is a serious security risk for any organizations or individuals using affected versions of the plugin on their WordPress sites.

Vulnerability Summary

CVE ID: CVE-2025-10143
Severity: High (CVSS 7.5)
Attack Vector: Local File Inclusion
Privileges Required: Contributor-level access
User Interaction: Required
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Catch Dark Mode WordPress Plugin | All versions up to and including 2.0

How the Exploit Works

The vulnerability lies in the ‘catch_dark_mode’ shortcode of the Catch Dark Mode plugin. Attackers with at least Contributor-level access can exploit this vulnerability by including arbitrary .php files via the shortcode. Since the shortcode does not properly sanitize or validate the included files, this allows the execution of any PHP code in those files. Consequently, attackers can bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Conceptual Example Code

The following pseudocode exemplifies how an attacker might exploit this vulnerability:

catch_dark_mode('[include] /path/to/malicious.php [/include]');

In this example, ‘malicious.php’ is an arbitrary PHP file that the attacker has uploaded to the server. When the Catch Dark Mode plugin processes the shortcode, it includes and executes the code in ‘malicious.php’, leading to potential system compromise or data leakage.