Cyber Resilience

CVE-2025-30891

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0155 81.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30891 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30891 is a PHP Local File Inclusion vulnerability arising from improper control of filenames in include/require statements. It affects the WpTravelly tour-booking-manager WordPress plugin by magepeopleteam, impacting all versions through 1.8.7. The flaw is tracked under CWE-98 and carries a CVSS 3.1 score of 8.8.

An authenticated attacker with low-privileged access can supply a crafted filename parameter to force the inclusion of arbitrary local files on the server. Successful exploitation grants the ability to read sensitive files, execute limited code, or achieve full compromise of confidentiality, integrity, and availability on the affected WordPress site.

The primary public reference is the Patchstack advisory, which documents the issue and points to an available update that resolves the vulnerability in WpTravelly. The EPSS score rose from a low baseline to a recorded peak of 0.0263 before settling at the current value of 0.0155, indicating emerging post-disclosure interest that warrants renewed attention from defenders.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly tour-booking-manager allows PHP Local File Inclusion.This issue affects WpTravelly: from n/a through <= 1.8.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation of the web application (T1190) and collection of data from local system files via arbitrary include/require (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98
CVE-2025-67992Shared CWE-98
CVE-2025-31432Shared CWE-98
CVE-2026-39613Shared CWE-98
CVE-2025-26957Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates user-supplied filenames and paths prior to use in PHP include/require statements, preventing arbitrary local file inclusion attacks.

prevent

Requires timely monitoring, reporting, and patching of flaws like the LFI vulnerability in the WpTravelly WordPress plugin across all affected versions.

prevent

Enforces secure PHP and web server configuration settings, such as open_basedir restrictions, to limit the scope of local file access even if application-level validation fails.

References