CVE-2025-30831
Published: 27 March 2025
Summary
CVE-2025-30831 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the improper filename control in PHP include/require by enforcing validation of user-supplied inputs used for file inclusion in the Themify Event Post plugin.
Requires timely identification, reporting, and patching of the LFI vulnerability in Themify Event Post plugin versions through 1.3.2 to eliminate the exploitable flaw.
Enforces secure configuration settings for PHP and web server environments, such as open_basedir restrictions and disabling dangerous includes, to limit local file access even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin allows local file inclusion leading to arbitrary PHP code execution and system compromise over the network.
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Event Post themify-event-post allows PHP Local File Inclusion.This issue affects Themify Event Post: from n/a through <= 1.3.2.
Deeper analysisAI
CVE-2025-30831 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, in the Themify Event Post WordPress plugin by themifyme. The vulnerability affects the plugin from unknown initial versions through 1.3.2. It is associated with CWE-98 and carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, high attack complexity, low privilege requirements, and high impacts across confidentiality, integrity, and availability.
Exploitation requires an attacker to have low privileges, such as an authenticated WordPress user with minimal roles, to perform the attack over the network without user interaction. Successful exploitation allows the attacker to include and potentially execute arbitrary local PHP files on the server, leading to unauthorized access to sensitive data, code execution, or system compromise depending on the included files and server configuration.
The Patchstack advisory provides details on the vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/themify-event-post/vulnerability/wordpress-themify-event-post-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)