CVE-2025-30835
Published: 31 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30835 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (LFI), affecting the Accounting for WooCommerce WordPress plugin by Bastien Ho. The issue impacts all versions from n/a through 1.6.8, as documented under CWE-98.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by unauthenticated attackers with no privileges required. Exploitation demands high attack complexity and user interaction, such as tricking a user into accessing a maliciously crafted page or input. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to read local files on the server.
The Patchstack advisory provides further details on the vulnerability, including analysis and recommendations for mitigation, accessible at https://patchstack.com/database/Wordpress/Plugin/accounting-for-woocommerce/vulnerability/wordpress-accounting-for-woocommerce-plugin-1-6-8-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE is a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications (T1190) and facilitating reading of local system files (T1005).