CVE-2025-30785
Published: 27 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30785 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, classified as a PHP Remote File Inclusion issue but enabling PHP Local File Inclusion, affecting the Subscribe to Download Lite WordPress plugin (subscribe-to-download-lite). This flaw impacts all versions from n/a through 1.2.9, as documented with CWE-98. The vulnerability was published on 2025-03-27 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability remotely over the network (AV:N) with low privileges required (PR:L), though it demands high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows high-impact consequences, including unauthorized access to sensitive data (C:H), modification of system files or behavior (I:H), and disruption of service (A:H), all within unchanged scope (S:U).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/subscribe-to-download-lite/vulnerability/wordpress-subscribe-to-download-lite-1-2-9-local-file-inclusion-vulnerability?_s_id=cve provides details on this Local File Inclusion vulnerability in Subscribe to Download Lite version 1.2.9.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a Local File Inclusion flaw in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications (T1190) and access to data from the local system via arbitrary file inclusion (T1005).