{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lfi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-5804"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["php","lfi","wordpress","cve-2025-5804"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability, identified as CVE-2025-5804, affects the Case Theme User WordPress plugin before version 1.0.4. The vulnerability stems from insufficient validation of filenames passed to PHP\u0026rsquo;s \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements. This allows an unauthenticated attacker to potentially include arbitrary local files on the server hosting the WordPress instance. Successful exploitation could lead to sensitive information disclosure, arbitrary code execution, or denial of service. The vulnerability was reported and patched by Patchstack. Users of the Case Theme User plugin are advised to upgrade to version 1.0.4 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Case Theme User plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP file within the plugin that uses an \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a GET or POST parameter associated with the vulnerable \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statement, injecting a path to a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, and the PHP interpreter attempts to include the file specified in the attacker-controlled parameter.\u003c/li\u003e\n\u003cli\u003eDue to the LFI vulnerability, the server includes the attacker-specified local file.\u003c/li\u003e\n\u003cli\u003eIf the included file contains sensitive data, such as configuration files or credentials, the attacker can extract this information from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eIn more advanced scenarios, the attacker might attempt to include PHP files containing malicious code, achieving remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-5804 can lead to a range of impacts, including sensitive information disclosure such as WordPress configuration files (wp-config.php), which contain database credentials. Arbitrary code execution is possible if the attacker can include a file containing malicious PHP code. This could allow the attacker to gain complete control of the WordPress site and the underlying server. The number of affected sites depends on the adoption rate of the vulnerable Case Theme User plugin, but given the widespread use of WordPress, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Case Theme User WordPress plugin to version 1.0.4 or later to patch CVE-2025-5804.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Case Theme User LFI Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts based on suspicious file paths in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns, particularly requests containing \u0026ldquo;..\u0026rdquo;, \u0026ldquo;%2e%2e\u0026rdquo;, or other directory traversal sequences, to catch LFI attempts (see log source \u003ccode\u003ewebserver\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-case-theme-lfi/","summary":"CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.","title":"Case Theme User WordPress Plugin Local File Inclusion Vulnerability (CVE-2025-5804)","url":"https://feed.craftedsignal.io/briefs/2026-04-case-theme-lfi/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-58913"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","lfi","cve-2025-58913"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability has been identified in the CactusThemes VideoPro WordPress theme. Assigned CVE-2025-58913, this vulnerability exists due to the improper handling of filenames passed to include or require statements within the PHP code of the theme. Specifically, versions of VideoPro from its initial release up to and including version 2.3.8.1 are affected. Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to further compromise. The vulnerability was reported by Patchstack. Defenders should prioritize patching or removing the vulnerable theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a VideoPro installation running a vulnerable version (\u0026lt;= 2.3.8.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a PHP script within the VideoPro theme that uses \u003ccode\u003einclude\u003c/code\u003e or \u003ccode\u003erequire\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) into the filename parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PHP script, without proper sanitization of the filename, attempts to include the attacker-specified file.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) are exposed within the web server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exposed file contents for sensitive information such as user credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the server or other related systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-58913 allows an attacker to read arbitrary files on the webserver hosting the vulnerable WordPress instance. This can lead to the exposure of sensitive data such as configuration files containing database credentials, WordPress salts, or even source code. If sensitive credentials are leaked, an attacker could pivot to other systems or gain administrative access to the WordPress site. The vulnerable VideoPro theme is used by an unknown number of WordPress websites, representing a significant attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the CactusThemes VideoPro theme to a patched version (later than 2.3.8.1) or remove the theme entirely from WordPress installations to remediate CVE-2025-58913.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect VideoPro LFI Attempts via Path Traversal\u0026rdquo; to identify exploitation attempts against vulnerable VideoPro installations using path traversal sequences in URI queries.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e../../\u003c/code\u003e) in the URI query string, which may indicate LFI attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-videopro-lfi/","summary":"CVE-2025-58913 is a PHP Local File Inclusion vulnerability in the CactusThemes VideoPro WordPress theme, affecting versions from n/a through 2.3.8.1 due to improper control of the filename for include/require statements, potentially allowing unauthorized file access.","title":"CactusThemes VideoPro Theme Local File Inclusion Vulnerability (CVE-2025-58913)","url":"https://feed.craftedsignal.io/briefs/2026-04-videopro-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Lfi","version":"https://jsonfeed.org/version/1.1"}