Cyber Resilience

CVE-2025-30785

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 75.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30785 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a PHP Local File Inclusion issue, tracked as CWE-98, that stems from improper control of filenames in include/require statements. It affects the Subscribe to Download Lite WordPress plugin (also known as subscribe-to-download-lite) in all versions through 1.2.9.

An authenticated attacker with low privileges can supply a crafted filename over the network to force inclusion of arbitrary local files. Successful exploitation, which carries high attack complexity, can result in disclosure of sensitive information, modification of application behavior, or full compromise of the confidentiality, integrity, and availability of the affected site.

The sole advisory reference is a Patchstack entry that catalogs the flaw in the plugin but does not detail specific mitigation steps beyond the implied need to update. The EPSS score rose from a low baseline to a peak of 0.0241 on 2026-05-07 before receding to the current value of 0.0088, indicating a temporary increase in observed exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite subscribe-to-download-lite allows PHP Local File Inclusion.This issue affects Subscribe to Download Lite: from n/a through <= 1.2.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability is a Local File Inclusion flaw in a public-facing WordPress plugin, directly enabling remote exploitation of public-facing applications (T1190) and access to data from the local system via arbitrary file inclusion (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98
CVE-2025-67992Shared CWE-98
CVE-2025-31432Shared CWE-98
CVE-2026-39613Shared CWE-98
CVE-2025-26957Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like filenames used in PHP include/require statements to block local file inclusion exploitation.

prevent

Mandates timely patching and remediation of the specific flaw in Subscribe to Download Lite plugin versions through 1.2.9.

prevent

Enforces PHP configuration settings such as open_basedir or disabled URL wrappers to restrict unauthorized local file access even if input validation fails.

References