{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-5804/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-5804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["php","lfi","wordpress","cve-2025-5804"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP\u0026rsquo;s \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a GET or POST parameter associated with the vulnerable \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement, injecting a path to a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.\u003c/li\u003e\n\u003cli\u003eDue to the LFI vulnerability, the server includes the attacker-specified local file.\u003c/li\u003e\n\u003cli\u003eIf the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eIn more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Case Theme User LFI Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns, particularly requests containing \u0026ldquo;..\u0026rdquo;, \u0026ldquo;%2e%2e\u0026rdquo;, or other directory traversal sequences, to catch LFI attempts (see log source \u003ccode\u003ewebserver\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-case-theme-lfi/","summary":"CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.","title":"Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)","url":"https://feed.craftedsignal.io/briefs/2026-04-case-theme-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2025-5804","version":"https://jsonfeed.org/version/1.1"}