Cyber Posture

CVE-2025-30871

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 73.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30871 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wptravelengine Wp Travel Engine. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and correction of flaws like the LFI vulnerability in WP Travel Engine, preventing exploitation through patching.

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs such as filenames in PHP include/require statements, directly countering the improper control exploited in this LFI vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Vulnerability scanning identifies the LFI flaw in the WP Travel Engine plugin, enabling proactive remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation via T1190: Exploit Public-Facing Application to achieve code execution or file access on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.

Deeper analysisAI

CVE-2025-30871 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the WP Travel Engine WordPress plugin (wp-travel-engine). This issue affects all versions from n/a through 6.3.5, as published on 2025-03-27.

The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with an attack vector of Network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A low-privileged attacker can exploit it remotely with high complexity to perform local file inclusion, potentially allowing unauthorized access to or execution of local PHP files.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-3-5-local-file-inclusion-vulnerability?_s_id=cve) documents the local file inclusion vulnerability specifically in WP Travel Engine plugin version 6.3.5.

Details

CWE(s)
CWE-98

Affected Products

wptravelengine
wp travel engine
≤ 6.3.6

CVEs Like This One

CVE-2025-53334Shared CWE-98
CVE-2025-53567Shared CWE-98
CVE-2025-14475Shared CWE-98
CVE-2025-69076Shared CWE-98
CVE-2025-67955Shared CWE-98
CVE-2025-69005Shared CWE-98
CVE-2026-22370Shared CWE-98
CVE-2026-28119Shared CWE-98
CVE-2024-56281Shared CWE-98
CVE-2025-69396Shared CWE-98

References