Platform
wordpress
Component
wpevently
Fixed in
4.2.10
CVE-2025-30895 identifies a Path Traversal vulnerability within the WpEvently WordPress plugin, allowing for PHP Local File Inclusion. This vulnerability enables attackers to potentially read arbitrary files on the server, leading to sensitive data exposure or, in some cases, remote code execution. The vulnerability affects versions of WpEvently from 0.0.0 through 4.2.9, and a patch is available in version 4.2.10.
The Path Traversal vulnerability in WpEvently allows an attacker to bypass intended access restrictions and include arbitrary files on the server. By manipulating file paths, an attacker can potentially access sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to the disclosure of confidential information, modification of website functionality, or the execution of malicious code on the server. The impact is amplified if the server hosts other sensitive applications or data, enabling potential lateral movement within the network. This vulnerability shares similarities with other Local File Inclusion exploits, where attackers leverage improper input validation to gain unauthorized access.
CVE-2025-30895 was publicly disclosed on 2025-03-27. Currently, there are no known active campaigns targeting this vulnerability, but the availability of a public proof-of-concept could change this rapidly. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30895 is to immediately upgrade the WpEvently plugin to version 4.2.10 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block suspicious path traversal attempts (e.g., blocking requests containing '../' sequences), and carefully reviewing and restricting file upload functionalities within the plugin. After upgrading, verify the fix by attempting to access restricted files via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin WpEvently a la última versión disponible para mitigar la vulnerabilidad de inyección de objetos PHP. Verifique la página del plugin en wordpress.org para obtener la versión más reciente y las instrucciones de actualización. Considere implementar medidas de seguridad adicionales, como limitar el acceso a archivos sensibles y validar las entradas del usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30895 is a Path Traversal vulnerability in the WpEvently WordPress plugin allowing attackers to include arbitrary files, potentially exposing sensitive data.
Yes, if you are using WpEvently versions 0.0.0 through 4.2.9, you are affected by this vulnerability.
Upgrade the WpEvently plugin to version 4.2.10 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade isn't possible.
Currently, there are no confirmed active exploitation campaigns, but the availability of a PoC increases the risk.
Refer to the WpEvently plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.