CVE-2025-30871
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30871 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the WP Travel Engine WordPress plugin (wp-travel-engine). This issue affects all versions from n/a through 6.3.5, as published on 2025-03-27.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with an attack vector of Network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A low-privileged attacker can exploit it remotely with high complexity to perform local file inclusion, potentially allowing unauthorized access to or execution of local PHP files.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-3-5-local-file-inclusion-vulnerability?_s_id=cve) documents the local file inclusion vulnerability specifically in WP Travel Engine plugin version 6.3.5.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation via T1190: Exploit Public-Facing Application to achieve code execution or file access on the server.