Cyber Posture

CVE-2025-30846

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 68.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

Security Summary

CVE-2025-30846 is a PHP Local File Inclusion vulnerability, stemming from improper control of filename for include/require statements (CWE-98), in the Restaurant Menu by MotoPress WordPress plugin (mp-restaurant-menu). The flaw affects all versions from n/a through 2.4.4 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a low-privileged authenticated user over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact outcomes, including unauthorized access to sensitive local files, potential arbitrary code execution via PHP inclusion, and disruption of confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-4-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

LFI in public-facing WordPress plugin enables exploitation of the app (T1190), direct local file access (T1005), and arbitrary code execution via PHP include (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References