CVE-2025-30814
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30814 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the WordPress plugin The Post Grid by RadiusTheme. This issue impacts all versions from n/a through 7.7.17 and is linked to CWE-98, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely over the network by low-privileged authenticated users (PR:L), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Attackers achieving exploitation gain high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing local file inclusion to potentially access sensitive server files.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-7-17-local-file-inclusion-vulnerability?_s_id=cve documents the local file inclusion vulnerability in The Post Grid plugin version 7.7.17.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This is a local file inclusion vulnerability in a publicly accessible WordPress plugin, directly enabling exploitation of public-facing applications (T1190) to access sensitive server files with high impact on confidentiality, integrity, and availability.