CVE-2025-30831
Published: 27 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-30831 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, in the Themify Event Post WordPress plugin by themifyme. The vulnerability affects the plugin from unknown initial versions through 1.3.2. It is associated with CWE-98 and carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, high attack complexity, low privilege requirements, and high impacts across confidentiality, integrity, and availability.
Exploitation requires an attacker to have low privileges, such as an authenticated WordPress user with minimal roles, to perform the attack over the network without user interaction. Successful exploitation allows the attacker to include and potentially execute arbitrary local PHP files on the server, leading to unauthorized access to sensitive data, code execution, or system compromise depending on the included files and server configuration.
The Patchstack advisory provides details on the vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/themify-event-post/vulnerability/wordpress-themify-event-post-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin allows local file inclusion leading to arbitrary PHP code execution and system compromise over the network.