CVE-2025-30845
Published: 27 March 2025
Summary
CVE-2025-30845 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2025-30845 is a PHP Local File Inclusion flaw (CWE-98) caused by improper control of filenames in include or require statements. It affects the The Pack Elementor addons plugin for WordPress from webangon, in all versions through 2.1.1.
An authenticated attacker with network access can exploit the issue despite the high attack complexity and lack of user interaction required. Successful exploitation grants high impact on confidentiality, integrity, and availability, consistent with the CVSS 7.5 rating.
The issue is tracked in the Patchstack vulnerability database, which lists the affected plugin versions and links to the corresponding CVE entry. The EPSS score remains flat at 0.0231 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8343
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 exploitation; facilitates T1100 by allowing inclusion/execution of local PHP files (e.g., web shells).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the PHP Local File Inclusion flaw in the-pack-addon WordPress plugin.
Mandates validation of user-supplied filenames for PHP include/require statements to prevent local file inclusion exploitation.
Enforces restrictions on information inputs, such as whitelisting allowed filenames, to block malicious paths in PHP file inclusion operations.