CVE-2025-30890
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30890 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the SuitePlugins Login Widget for Ultimate Member WordPress plugin (login-widget-for-ultimate-member). This flaw impacts all versions from n/a through 1.1.2 inclusive. Published on 2025-03-27T11:15:49.920, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
The vulnerability can be exploited over the network by attackers with low privileges, though it requires high attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing unauthorized file inclusion within the PHP environment.
Patchstack provides details on the vulnerability in its advisory at https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a network-exploitable PHP file inclusion vulnerability (LFI/RFI) in a public-facing WordPress plugin, directly enabling T1190 Exploit Public-Facing Application with high impact on confidentiality, integrity, and availability.