CVE-2025-10143 is a Local File Inclusion vulnerability identified in the Catch Dark Mode plugin for WordPress, affecting all versions up to 2.0. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements within the 'catch_dark_mode' shortcode functionality. An attacker with authenticated access at the Contributor role or higher can leverage this flaw to include arbitrary PHP files from the server filesystem. This inclusion leads to execution of any PHP code contained within those files, enabling a range of malicious activities such as bypassing WordPress access controls, reading sensitive configuration or user data, and executing arbitrary commands on the server. The attack vector requires network access and authenticated privileges but does not require user interaction. The CVSS 3.1 base score of 7.5 reflects high severity due to the potential for confidentiality, integrity, and availability impacts. Although no public exploits are currently known, the vulnerability represents a significant risk given the widespread use of WordPress and the Catch Dark Mode plugin. The root cause is classified under CWE-98, indicating improper control of filenames in include/require statements, a common source of LFI vulnerabilities. Without a patch available at the time of disclosure, mitigation relies on access control hardening and monitoring.

The impact of CVE-2025-10143 is substantial for organizations running WordPress sites with the Catch Dark Mode plugin installed. Successful exploitation allows attackers to execute arbitrary PHP code on the web server, which can lead to full site compromise. This includes bypassing authentication and authorization controls, exposing sensitive user data, modifying website content, deploying web shells, or pivoting to other internal systems. The vulnerability affects the confidentiality, integrity, and availability of affected systems. Given that Contributor-level access is sufficient, attackers who gain low-privilege credentials or exploit other vulnerabilities to escalate privileges can leverage this flaw to gain full control. The lack of user interaction and network-based attack vector increases the risk of automated exploitation once details become public. Organizations may face reputational damage, data breaches, and service disruptions if this vulnerability is exploited.

To mitigate CVE-2025-10143, organizations should immediately restrict Contributor and higher roles to trusted users only, minimizing the attack surface. Disable or remove the Catch Dark Mode plugin if it is not essential. Monitor web server logs for suspicious include attempts or unusual PHP file accesses. Implement strict file upload restrictions to prevent unauthorized PHP file uploads, including disabling execution permissions in upload directories. Employ Web Application Firewalls (WAFs) with rules targeting LFI attack patterns to block exploitation attempts. Regularly audit user roles and permissions to ensure least privilege principles. Until an official patch is released, consider applying virtual patching through WAFs or custom code filters that sanitize or block the vulnerable shortcode usage. Keep WordPress core and all plugins updated and subscribe to vendor advisories for patch releases. Conduct penetration testing focused on file inclusion vulnerabilities to identify residual risks.