CVE-2025-30820
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30820 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the HT Plugins WishSuite WordPress plugin. This issue affects WishSuite versions from n/a through 1.4.4.
The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS 3.1 base score of 7.5 and mapping to CWE-98.
The Patchstack advisory provides further details on this Local File Inclusion vulnerability in the WordPress WishSuite plugin version 1.4.4, available at https://patchstack.com/database/Wordpress/Plugin/wishsuite/vulnerability/wordpress-wishsuite-plugin-1-4-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a Local File Inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications via network access.