Cyber Resilience

CVE-2025-30845

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0231 85.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30845 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-30845 is a PHP Local File Inclusion flaw (CWE-98) caused by improper control of filenames in include or require statements. It affects the The Pack Elementor addons plugin for WordPress from webangon, in all versions through 2.1.1.

An authenticated attacker with network access can exploit the issue despite the high attack complexity and lack of user interaction required. Successful exploitation grants high impact on confidentiality, integrity, and availability, consistent with the CVSS 7.5 rating.

The issue is tracked in the Patchstack vulnerability database, which lists the affected plugin versions and links to the corresponding CVE entry. The EPSS score remains flat at 0.0231 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress plugin directly enables T1190 exploitation; facilitates T1100 by allowing inclusion/execution of local PHP files (e.g., web shells).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-26985Shared CWE-98
CVE-2025-52732Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98
CVE-2025-54031Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the PHP Local File Inclusion flaw in the-pack-addon WordPress plugin.

prevent

Mandates validation of user-supplied filenames for PHP include/require statements to prevent local file inclusion exploitation.

prevent

Enforces restrictions on information inputs, such as whitelisting allowed filenames, to block malicious paths in PHP file inclusion operations.

References