A high-severity vulnerability has been identified in the Catch Dark Mode plugin for WordPress. This flaw could allow an unauthenticated attacker to access sensitive files on the web server, potentially exposing confidential information such as database credentials, system configuration files, and other private data, leading to further system compromise.

The vulnerability is a Local File Inclusion (LFI) flaw within the Catch Dark Mode plugin. An attacker can exploit this by sending a specially crafted request to the web server that manipulates a parameter to include and display the contents of arbitrary files on the server's filesystem. For example, an attacker could potentially read sensitive files such as wp-config.php (containing database credentials), /etc/passwd, or other application and system files, without requiring any prior authentication.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to significant data breaches by exposing sensitive information, including database connection strings, API keys, and internal system configurations. This exposure could serve as a foothold for more advanced attacks, potentially leading to a full system compromise, reputational damage, and regulatory fines depending on the nature of the data exposed.

Immediate Action: Immediately update the Catch Dark Mode plugin to the latest version provided by the vendor, which addresses this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it entirely to reduce the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, ..%2F, %2e%2e/) in URL parameters associated with the plugin. Implement file integrity monitoring on critical WordPress core files and the wp-config.php file to detect any unauthorized access or changes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rulesets designed to detect and block Local File Inclusion and directory traversal attacks. Additionally, ensure web server file permissions are properly hardened to restrict the web server user's access to only the necessary directories, preventing it from reading sensitive system-level files.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for severe data exposure, immediate action is required. We strongly recommend that organizations using the affected Catch Dark Mode plugin prioritize applying the available patch without delay. Although there is no evidence of active exploitation, the ease with which this type of vulnerability can be exploited makes it a critical risk that should be remediated immediately.