{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5804", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-06T11:19:06.151Z", "datePublished": "2026-04-10T13:19:43.457Z", "dateUpdated": "2026-04-13T18:06:05.475Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-10T13:19:43.457Z"}, "title": "WordPress Case Theme User < 1.0.4 - Local File Inclusion Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "affected": [{"vendor": "Case Themes", "product": "Case Theme User", "versions": [{"status": "affected", "version": "n/a", "lessThan": "1.0.4", "changes": [{"at": "1.0.4", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.<p>This issue affects Case Theme User: from n/a before 1.0.4.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Case Theme User plugin to the latest available version (at least 1.0.4).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Case Theme User plugin to the latest available version (at least 1.0.4)."}]}], "credits": [{"lang": "en", "value": "Bonds | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:05:03.617750Z", "id": "CVE-2025-5804", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:06:05.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T18:05:03.617750Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:05:59.768Z"}}], "cna": {"title": "WordPress Case Theme User < 1.0.4 - Local File Inclusion Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Case Themes", "product": "Case Theme User", "versions": [{"status": "affected", "changes": [{"at": "1.0.4", "status": "unaffected"}], "version": "n/a", "lessThan": "1.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Case Theme User plugin to the latest available version (at least 1.0.4).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Case Theme User plugin to the latest available version (at least 1.0.4).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.<p>This issue affects Case Theme User: from n/a before 1.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-10T13:19:43.457Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5804", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:06:05.475Z", "dateReserved": "2025-06-06T11:19:06.151Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-10T13:19:43.457Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4."}], "id": "CVE-2025-5804", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-10T14:16:25.450", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.0.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Case Theme User", "source": "cna", "vendor": "Case Themes"}, "product": "case_theme_user", "vendor": "case-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T15:06:12.428199+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Case Theme User plugin (v1.0.4 or newer).", "If an immediate update is unavailable, restrict the plugin\u2019s include paths to a safe directory and validate user input to prevent arbitrary file inclusion."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion that may enable remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Case Theme User plugin installed with a version earlier than 1.0.4 are affected. The plugin is distributed by Case Themes under the product name Case Theme User; all releases prior to 1.0.4 are impacted.", "description_and_impact": "The vulnerability arises from improper control of a filename used in a PHP include or require statement within the Case Theme User plugin. An attacker could supply a crafted path that causes the plugin to include an arbitrary local file on the server, allowing reading of sensitive files, file disclosure, or execution of PHP code if the included file contains malicious code. This weakness aligns with CWE\u201198.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity local file inclusion. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote through the web interface, such as manipulating a query parameter that is passed to the include statement. The impact is confined to the web server\u2019s filesystem, but successful exploitation could compromise the entire site or host."}}}}, "created": "2026-04-10T14:40:44.878570+00:00", "updated": "2026-04-13T13:01:31.159261+00:00", "vendors": ["case-themes", "case-themes$PRODUCT$case_theme_user", "wordpress", "wordpress$PRODUCT$wordpress"]}