CVE-2025-30785
Published: 27 March 2025
Summary
CVE-2025-30785 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue, tracked as CWE-98, that stems from improper control of filenames in include/require statements. It affects the Subscribe to Download Lite WordPress plugin (also known as subscribe-to-download-lite) in all versions through 1.2.9.
An authenticated attacker with low privileges can supply a crafted filename over the network to force inclusion of arbitrary local files. Successful exploitation, which carries high attack complexity, can result in disclosure of sensitive information, modification of application behavior, or full compromise of the confidentiality, integrity, and availability of the affected site.
The sole advisory reference is a Patchstack entry that catalogs the flaw in the plugin but does not detail specific mitigation steps beyond the implied need to update. The EPSS score rose from a low baseline to a peak of 0.0241 on 2026-05-07 before receding to the current value of 0.0088, indicating a temporary increase in observed exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8382
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite subscribe-to-download-lite allows PHP Local File Inclusion.This issue affects Subscribe to Download Lite: from n/a through <= 1.2.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a Local File Inclusion flaw in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications (T1190) and access to data from the local system via arbitrary file inclusion (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like filenames used in PHP include/require statements to block local file inclusion exploitation.
Mandates timely patching and remediation of the specific flaw in Subscribe to Download Lite plugin versions through 1.2.9.
Enforces PHP configuration settings such as open_basedir or disabled URL wrappers to restrict unauthorized local file access even if input validation fails.