Cyber Resilience

CVE-2025-30846

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0160 82.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30846 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30846 is a PHP Local File Inclusion vulnerability arising from improper control of filenames in include/require statements. It affects the Restaurant Menu by MotoPress WordPress plugin (mp-restaurant-menu), with all versions through 2.4.4 impacted. The flaw is tracked under CWE-98 and carries a CVSS 3.1 score of 8.8.

An attacker with low-privileged network access, such as an authenticated WordPress user, can supply a crafted filename to force inclusion of arbitrary local files on the server. Successful exploitation can result in disclosure of sensitive information, arbitrary code execution, or full compromise of the confidentiality, integrity, and availability of the affected site.

Patchstack maintains the primary advisory record for this issue. The EPSS score remains low, with a current value of 0.0160 and a peak of 0.0241.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows PHP Local File Inclusion.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

LFI in public-facing WordPress plugin enables exploitation of the app (T1190), direct local file access (T1005), and arbitrary code execution via PHP include (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13790Shared CWE-98
CVE-2026-22389Shared CWE-98
CVE-2026-32384Shared CWE-98
CVE-2025-30829Shared CWE-98
CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-30846 by identifying, prioritizing, and applying patches or updates to vulnerable versions of the mp-restaurant-menu WordPress plugin.

prevent

Requires validation of untrusted filename inputs to PHP include/require statements, preventing local file inclusion exploitation in the plugin.

prevent

Enforces secure configuration settings for PHP environments, such as open_basedir restrictions, to limit the scope of local file access during LFI attempts.

References