CVE-2025-30868
Published: 27 March 2025
Summary
CVE-2025-30868 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion flaw (CWE-98) in the Team Manager WordPress plugin (wp-team-manager) by Maidul. It arises from improper control of filenames in include/require statements and affects all versions through 2.1.23.
An authenticated attacker with low privileges can exploit the issue over the network by supplying a crafted filename to the vulnerable include logic. Successful exploitation can yield high impact on confidentiality, integrity, and availability, although the CVSS vector notes high attack complexity.
The Patchstack advisory for the plugin recommends updating beyond version 2.1.23 to close the local file inclusion vector. The associated EPSS score has remained flat at a low 0.0165 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8324
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Team Manager wp-team-manager allows PHP Local File Inclusion.This issue affects Team Manager: from n/a through <= 2.1.23.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables remote exploitation of the application (T1190) and arbitrary local file reads for data exposure (T1005); potential code execution depends on included files but is secondary.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching of the vulnerable wp-team-manager plugin versions up to 2.1.23 directly eliminates the PHP Local File Inclusion vulnerability.
Validates and sanitizes user-supplied filenames used in PHP include/require statements to prevent arbitrary local file inclusion.
Secures PHP configuration settings like open_basedir and allow_url_include to restrict file access paths exploitable by this LFI vulnerability.