CVE-2025-10143 is a high-severity vulnerability affecting the Catch Dark Mode WordPress plugin developed by catchthemes. The flaw is classified under CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, this vulnerability exists in all versions of the Catch Dark Mode plugin up to and including version 2.0, triggered via the 'catch_dark_mode' shortcode. An attacker with authenticated access at the Contributor level or higher can exploit this vulnerability to include arbitrary PHP files on the server. This inclusion allows execution of any PHP code contained in those files, effectively enabling remote code execution (RCE). The exploitation does not require user interaction but does require authenticated access with relatively low privileges (Contributor role), which is commonly granted to users who can upload content but not necessarily manage plugins or themes. The vulnerability arises because the plugin fails to properly validate or sanitize the filename parameter used in the include/require statement, allowing an attacker to manipulate the path to include malicious PHP files. This can lead to bypassing access controls, unauthorized data disclosure, and full system compromise if the attacker can upload PHP files (e.g., via other vulnerabilities or misconfigurations). The CVSS v3.1 base score is 7.5, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low privileges required, no user interaction, and high impact on all security properties. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and thus poses a significant risk to affected WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant threat, especially for those relying on WordPress websites with the Catch Dark Mode plugin installed. Exploitation can lead to unauthorized code execution on web servers, resulting in data breaches involving sensitive customer or business data, defacement of websites, or use of compromised servers as pivot points for further attacks within the corporate network. Given the Contributor-level access requirement, insider threats or compromised user accounts could be leveraged to exploit this flaw. The impact is particularly severe for organizations subject to GDPR and other data protection regulations, as breaches could lead to regulatory fines and reputational damage. Additionally, many European businesses use WordPress for e-commerce, marketing, and customer engagement, making availability and integrity critical. The ability to execute arbitrary PHP code could also facilitate the deployment of malware, ransomware, or web shells, further escalating the threat landscape. The lack of a patch at the time of disclosure increases the urgency for mitigation.

1. Immediate mitigation should involve restricting Contributor-level user capabilities, ensuring that only trusted users have such access. 2. Disable or remove the Catch Dark Mode plugin until a security patch is released. 3. Implement strict file upload controls and scanning to prevent uploading of malicious PHP files that could be included. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious include/require patterns or attempts to exploit the shortcode parameter. 5. Monitor web server logs for unusual file inclusion attempts or unexpected PHP file executions. 6. Harden WordPress installations by enforcing the principle of least privilege, disabling PHP execution in upload directories, and regularly auditing user roles and permissions. 7. Once a patch is available, promptly apply updates to the plugin. 8. Consider using security plugins that detect and prevent LFI/RFI attacks. 9. Educate site administrators and content contributors about the risks of privilege misuse and suspicious activity.