CVE-2025-30845
Published: 27 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-30845 is an Improper Control of Filename for Include/Require Statement vulnerability in a PHP program, classified as PHP Local File Inclusion (CWE-98), affecting the webangon The Pack Elementor addons (the-pack-addon) WordPress plugin. This issue impacts all versions from n/a through 2.1.1, allowing improper handling that enables local file inclusion.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Low-privileged authenticated users (PR:L) with network access (AV:N) can exploit it, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) with no scope change (S:U), potentially allowing attackers to include and execute local files.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/the-pack-addon/vulnerability/wordpress-the-pack-elementor-addons-plugin-2-1-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 exploitation; facilitates T1100 by allowing inclusion/execution of local PHP files (e.g., web shells).