CVE-2025-30891
Published: 27 March 2025
Summary
CVE-2025-30891 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30891 is a PHP Local File Inclusion vulnerability arising from improper control of filenames in include/require statements. It affects the WpTravelly tour-booking-manager WordPress plugin by magepeopleteam, impacting all versions through 1.8.7. The flaw is tracked under CWE-98 and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with low-privileged access can supply a crafted filename parameter to force the inclusion of arbitrary local files on the server. Successful exploitation grants the ability to read sensitive files, execute limited code, or achieve full compromise of confidentiality, integrity, and availability on the affected WordPress site.
The primary public reference is the Patchstack advisory, which documents the issue and points to an available update that resolves the vulnerability in WpTravelly. The EPSS score rose from a low baseline to a recorded peak of 0.0263 before settling at the current value of 0.0155, indicating emerging post-disclosure interest that warrants renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8318
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly tour-booking-manager allows PHP Local File Inclusion.This issue affects WpTravelly: from n/a through <= 1.8.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation of the web application (T1190) and collection of data from local system files via arbitrary include/require (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates user-supplied filenames and paths prior to use in PHP include/require statements, preventing arbitrary local file inclusion attacks.
Requires timely monitoring, reporting, and patching of flaws like the LFI vulnerability in the WpTravelly WordPress plugin across all affected versions.
Enforces secure PHP and web server configuration settings, such as open_basedir restrictions, to limit the scope of local file access even if application-level validation fails.