Cyber Resilience

CVE-2025-30895

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0086 75.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30895 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30895 is a path traversal vulnerability, also described as improper limitation of a pathname to a restricted directory, that permits PHP local file inclusion. It affects the WpEvently plugin (mage-eventpress) developed by magepeopleteam for WordPress, impacting all versions from n/a through 4.2.9. The flaw carries a CVSS 3.1 score of 7.5 and is tracked under CWE-22.

An authenticated attacker with low privileges can exploit the issue remotely over the network, although successful exploitation requires high attack complexity and no user interaction. Successful abuse allows the attacker to read or execute arbitrary local PHP files, resulting in high impact to confidentiality, integrity, and availability within the affected WordPress installation.

The sole reference points to a Patchstack database entry for the WordPress WpEvently plugin that catalogs the vulnerability at version 4.2.9, implying that administrators should update to a patched release once available to close the exposure.

EPSS scores remain low, with a current value of 0.0086 and a peak of only 0.0118, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently mage-eventpress allows PHP Local File Inclusion.This issue affects WpEvently: from n/a through <= 4.2.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing WordPress plugin directly enables T1190 for initial access via exploitation of the web application and facilitates T1100 by allowing inclusion/execution of malicious PHP code as a web shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-67684Shared CWE-22
CVE-2025-41758Shared CWE-22
CVE-2025-12382Shared CWE-22
CVE-2025-54446Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file path inputs to block path traversal sequences enabling PHP local file inclusion in the WpEvently plugin.

prevent

Mandates timely patching and remediation of the specific path traversal flaw affecting WpEvently versions through 4.2.9.

prevent

Enforces restrictions on input parameters, such as prohibiting directory traversal characters like '../', to mitigate the pathname limitation vulnerability.

References