CVE-2025-30868
Published: 27 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30868 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the wp-team-manager WordPress plugin developed by Maidul Team Manager. This issue affects Team Manager versions from n/a through 2.1.23. The vulnerability is associated with CWE-98 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers can exploit this vulnerability over the network with high complexity and low privileges required, typically as an authenticated user with minimal permissions. No user interaction is needed. Successful exploitation allows high-level impacts on confidentiality, integrity, and availability, enabling the inclusion and potential execution of arbitrary local PHP files, which could lead to sensitive data exposure, code execution, or system compromise depending on the included files.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-team-manager/vulnerability/wordpress-team-manager-plugin-2-1-23-local-file-inclusion-vulnerability?_s_id=cve provides details on this Local File Inclusion vulnerability in the WordPress Team Manager plugin version 2.1.23, including mitigation guidance for affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables remote exploitation of the application (T1190) and arbitrary local file reads for data exposure (T1005); potential code execution depends on included files but is secondary.