CVE-2025-30895
Published: 27 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-30895 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified under CWE-22, in the magepeopleteam WpEvently mage-eventpress WordPress plugin. This flaw enables PHP Local File Inclusion and affects all versions of WpEvently from n/a through 4.2.9. The vulnerability received a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited over the network (AV:N) by an attacker with low privileges (PR:L), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation remains within the unchanged security scope (S:U) and can lead to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary file inclusion and execution of malicious PHP code.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-2-9-php-object-injection-vulnerability?_s_id=cve documents this issue and serves as a primary reference for security practitioners seeking mitigation details.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin directly enables T1190 for initial access via exploitation of the web application and facilitates T1100 by allowing inclusion/execution of malicious PHP code as a web shell.