{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-58913/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-58913"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","lfi","cve-2025-58913"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability has been identified in the CactusThemes VideoPro WordPress theme. Assigned CVE-2025-58913, this vulnerability exists due to the improper handling of filenames passed to include or require statements within the PHP code of the theme. Specifically, versions of VideoPro from its initial release up to and including version 2.3.8.1 are affected. Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to further compromise. The vulnerability was reported by Patchstack. Defenders should prioritize patching or removing the vulnerable theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a VideoPro installation running a vulnerable version (\u0026lt;= 2.3.8.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP script within the VideoPro theme that uses \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) into the filename parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PHP script, without proper sanitization of the filename, attempts to include the attacker-specified file.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) are exposed within the web server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exposed file contents for sensitive information such as user credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the server or other related systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-58913 allows an attacker to read arbitrary files on the webserver hosting the vulnerable WordPress instance. This can lead to the exposure of sensitive data such as configuration files containing database credentials, WordPress salts, or even source code. If sensitive credentials are leaked, an attacker could pivot to other systems or gain administrative access to the WordPress site. The vulnerable VideoPro theme is used by an unknown number of WordPress websites, representing a significant attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the CactusThemes VideoPro theme to a patched version (later than 2.3.8.1) or remove the theme entirely from WordPress installations to remediate CVE-2025-58913.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VideoPro LFI Attempts via Path Traversal\u0026rdquo; to identify exploitation attempts against vulnerable VideoPro installations using path traversal sequences in URI queries.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e../../\u003c/code\u003e) in the URI query string, which may indicate LFI attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-videopro-lfi/","summary":"CVE-2025-58913 is a PHP Local File Inclusion vulnerability in the CactusThemes VideoPro WordPress theme, affecting versions from n/a through 2.3.8.1 due to improper control of the filename for include/require statements, potentially allowing unauthorized file access.","title":"CactusThemes VideoPro Theme Local File Inclusion Vulnerability (CVE-2025-58913)","url":"https://feed.craftedsignal.io/briefs/2026-04-videopro-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2025-58913","version":"https://jsonfeed.org/version/1.1"}