CVE-2025-32154: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32154) was discovered in the Catch Dark Mode WordPress plugin affecting versions through 1.2.1. The vulnerability was initially reported by Trương Hữu Phúc on December 26, 2024, and was publicly disclosed on April 4, 2025. The issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor or higher level privileges to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which depending on the configuration could result in complete database compromise (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation is to remove and replace the Catch Dark Mode plugin with an alternative solution. It's important to note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack).