Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)

A local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP’s include or require statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.

Attack Chain

1. An attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.
2. The attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an include or require statement.
3. The attacker modifies a GET or POST parameter associated with the vulnerable include or require statement, injecting a path to a local file (e.g., /etc/passwd).
4. The web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.
5. Due to the LFI vulnerability, the server includes the attacker-specified local file.
6. If the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server’s response.
7. In more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.

Impact

Successful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.

Recommendation

• Immediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.
• Deploy the Sigma rule Detect Case Theme User LFI Attempt to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.
• Monitor web server logs for unusual file access patterns, particularly requests containing “..”, “%2e%2e”, or other directory traversal sequences, to catch LFI attempts (see log source webserver).