CVE-2025-32154
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Catch Dark Mode plugin, potentially leading to sensitive information disclosure or code execution. All sites running vulnerable versions of this plugin are at risk.
💻 Affected Systems
- WordPress Catch Dark Mode Plugin
📦 What is this software?
Catch Dark Mode by Catchthemes
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, sensitive file disclosure (including configuration files with credentials), and complete site takeover.
Likely Case
Information disclosure of sensitive server files (like wp-config.php containing database credentials), potential privilege escalation, and limited code execution depending on server configuration.
If Mitigated
Limited impact with proper file permissions, disabled dangerous PHP functions, and restricted web server access to sensitive directories.
🎯 Exploit Status
Local file inclusion vulnerabilities are commonly exploited and weaponization is likely given the public disclosure and WordPress plugin popularity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Catch Dark Mode plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.2.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate catch-dark-mode
Restrict File Access
linuxAdd web server rules to block access to sensitive directories
# Add to .htaccess for Apache:
<FilesMatch "\.(php|inc|conf|config)$">
Order Deny,Allow
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove or disable the Catch Dark Mode plugin immediately
- Implement web application firewall (WAF) rules to block file inclusion patterns and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Catch Dark Mode version. If version is 1.2.1 or lower, you are vulnerable.Check Version:
wp plugin get catch-dark-mode --field=versionVerify Fix Applied:
Verify plugin version is 1.2.2 or higher in WordPress admin panel. Test functionality remains working.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs, especially attempts to access PHP include files with path traversal sequences (../)
Network Indicators:
- HTTP requests containing file inclusion patterns, directory traversal sequences, or attempts to access sensitive files
SIEM Query:
web_access_logs WHERE url CONTAINS 'catch-dark-mode' AND (url CONTAINS '../' OR url CONTAINS 'php://' OR url CONTAINS 'file=')