CVE-2025-30846
Published: 27 March 2025
Summary
CVE-2025-30846 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30846 is a PHP Local File Inclusion vulnerability arising from improper control of filenames in include/require statements. It affects the Restaurant Menu by MotoPress WordPress plugin (mp-restaurant-menu), with all versions through 2.4.4 impacted. The flaw is tracked under CWE-98 and carries a CVSS 3.1 score of 8.8.
An attacker with low-privileged network access, such as an authenticated WordPress user, can supply a crafted filename to force inclusion of arbitrary local files on the server. Successful exploitation can result in disclosure of sensitive information, arbitrary code execution, or full compromise of the confidentiality, integrity, and availability of the affected site.
Patchstack maintains the primary advisory record for this issue. The EPSS score remains low, with a current value of 0.0160 and a peak of 0.0241.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8334
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows PHP Local File Inclusion.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin enables exploitation of the app (T1190), direct local file access (T1005), and arbitrary code execution via PHP include (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-30846 by identifying, prioritizing, and applying patches or updates to vulnerable versions of the mp-restaurant-menu WordPress plugin.
Requires validation of untrusted filename inputs to PHP include/require statements, preventing local file inclusion exploitation in the plugin.
Enforces secure configuration settings for PHP environments, such as open_basedir restrictions, to limit the scope of local file access during LFI attempts.