CVE-2025-30895
Published: 27 March 2025
Summary
CVE-2025-30895 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30895 is a path traversal vulnerability, also described as improper limitation of a pathname to a restricted directory, that permits PHP local file inclusion. It affects the WpEvently plugin (mage-eventpress) developed by magepeopleteam for WordPress, impacting all versions from n/a through 4.2.9. The flaw carries a CVSS 3.1 score of 7.5 and is tracked under CWE-22.
An authenticated attacker with low privileges can exploit the issue remotely over the network, although successful exploitation requires high attack complexity and no user interaction. Successful abuse allows the attacker to read or execute arbitrary local PHP files, resulting in high impact to confidentiality, integrity, and availability within the affected WordPress installation.
The sole reference points to a Patchstack database entry for the WordPress WpEvently plugin that catalogs the vulnerability at version 4.2.9, implying that administrators should update to a patched release once available to close the exposure.
EPSS scores remain low, with a current value of 0.0086 and a peak of only 0.0118, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8306
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently mage-eventpress allows PHP Local File Inclusion.This issue affects WpEvently: from n/a through <= 4.2.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin directly enables T1190 for initial access via exploitation of the web application and facilitates T1100 by allowing inclusion/execution of malicious PHP code as a web shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file path inputs to block path traversal sequences enabling PHP local file inclusion in the WpEvently plugin.
Mandates timely patching and remediation of the specific path traversal flaw affecting WpEvently versions through 4.2.9.
Enforces restrictions on input parameters, such as prohibiting directory traversal characters like '../', to mitigate the pathname limitation vulnerability.