Plattform
wordpress
Komponente
wpevently
Behoben in
4.2.10
CVE-2025-30895 identifies a Path Traversal vulnerability within the WpEvently WordPress plugin, allowing for PHP Local File Inclusion. This vulnerability enables attackers to potentially read arbitrary files on the server, leading to sensitive data exposure or, in some cases, remote code execution. The vulnerability affects versions of WpEvently from 0.0.0 through 4.2.9, and a patch is available in version 4.2.10.
The Path Traversal vulnerability in WpEvently allows an attacker to manipulate file paths, bypassing intended security restrictions. By crafting malicious requests, an attacker can include arbitrary files from the server's filesystem. This could expose sensitive configuration files, source code, or even allow the attacker to execute arbitrary PHP code if they can locate and include a file containing malicious code. The potential impact extends beyond simple data exposure; successful exploitation could lead to complete server compromise and data breaches. This vulnerability shares similarities with other Path Traversal exploits where attackers leverage directory traversal sequences to access unauthorized resources.
CVE-2025-30895 was publicly disclosed on 2025-03-27. As of this date, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Websites using the WpEvently plugin, particularly those running older versions (0.0.0–4.2.9), are at risk. Shared hosting environments are particularly vulnerable as they often have limited access controls and a higher concentration of vulnerable plugins.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-evently/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/wp-evently/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.20% (42% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-30895 is to immediately upgrade the WpEvently plugin to version 4.2.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block suspicious path traversal attempts (e.g., blocking requests containing '../' sequences), and carefully reviewing the plugin's code for any other potential vulnerabilities. After upgrading, verify the fix by attempting to access files outside the intended directory structure via the plugin's interface; access should be denied.
Actualice el plugin WpEvently a la última versión disponible para mitigar la vulnerabilidad de inyección de objetos PHP. Verifique la página del plugin en wordpress.org para obtener la versión más reciente y las instrucciones de actualización. Considere implementar medidas de seguridad adicionales, como limitar el acceso a archivos sensibles y validar las entradas del usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30895 is a Path Traversal vulnerability in the WpEvently WordPress plugin allowing attackers to include arbitrary files, potentially exposing sensitive data.
Yes, if you are using WpEvently versions 0.0.0 through 4.2.9, you are affected by this vulnerability.
Upgrade the WpEvently plugin to version 4.2.10 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade isn't possible.
Currently, there are no confirmed active exploitation campaigns, but the availability of a PoC increases the risk.
Refer to the WpEvently plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.