CVE-2025-30891
Published: 27 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30891 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98). It affects the WpTravelly tour-booking-manager WordPress plugin developed by magepeopleteam, impacting all versions from n/a through 1.8.7.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and exploitation feasible by low-privilege authenticated users without user interaction or scope changes. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary local file inclusion and server compromise.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-1-8-7-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-03-27.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation of the web application (T1190) and collection of data from local system files via arbitrary include/require (T1005).