CVE-2025-30846 Overview
CVE-2025-30846 is a PHP Local File Inclusion (LFI) vulnerability in the Restaurant Menu by MotoPress (mp-restaurant-menu) WordPress plugin developed by jetmonsters. The flaw stems from improper control of a filename used in a PHP include or require statement, classified under [CWE-98]. All versions up to and including 2.4.4 are affected. An authenticated attacker with low privileges can leverage the issue to include arbitrary local files, resulting in code execution within the PHP runtime context.
Critical Impact
An attacker can include and execute arbitrary PHP files on the WordPress server, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Restaurant Menu by MotoPress (mp-restaurant-menu) WordPress plugin versions up to and including 2.4.4
- WordPress installations with the vulnerable plugin enabled
- Hosting environments running the plugin under PHP runtime
Discovery Timeline
- 2025-03-27 - CVE-2025-30846 published to the National Vulnerability Database
- 2026-04-23 - Last updated in the NVD database
Technical Details for CVE-2025-30846
Vulnerability Analysis
The vulnerability is a PHP File Inclusion flaw mapped to [CWE-98]. The plugin passes attacker-controllable input into a PHP include, include_once, require, or require_once statement without sufficient validation or sanitization. Although the advisory categorizes the issue under Remote File Inclusion semantics, exploitation results in Local File Inclusion (LFI) on the WordPress host.
Authenticated users with low privileges, such as Subscriber or Contributor accounts depending on plugin configuration, can manipulate the filename argument to traverse the filesystem. Inclusion of attacker-controlled or attacker-uploaded PHP files leads to arbitrary code execution under the web server user. The attack is performed remotely over the network, requires no user interaction, and has low complexity.
Root Cause
The root cause is missing or insufficient validation of a filename parameter consumed by a PHP file inclusion API. User-supplied data reaches the include statement directly, allowing path traversal sequences and absolute path references. Refer to the Patchstack Vulnerability Advisory for component-level details.
Attack Vector
The attack vector is network-based against the WordPress HTTP endpoints exposed by the plugin. An authenticated attacker submits a crafted request containing a manipulated filename parameter. The PHP interpreter loads and executes the referenced file. Attackers commonly chain this with media upload abuse, log poisoning, or inclusion of session files to achieve PHP code execution.
No verified public exploit code is available at the time of writing. The vulnerability mechanism is described in prose because no validated proof-of-concept has been published.
Detection Methods for CVE-2025-30846
Indicators of Compromise
- HTTP requests to mp-restaurant-menu plugin endpoints containing path traversal sequences such as ../, ..%2f, or absolute filesystem paths in query or POST parameters
- Unexpected PHP files created in wp-content/uploads/ or other writable directories shortly after plugin requests
- Web server processes spawning shells, wget, curl, or php child processes following requests to plugin URLs
- Outbound network connections from the WordPress host to attacker-controlled infrastructure following plugin activity
Detection Strategies
- Inspect web server access logs for parameters referencing filesystem paths, null bytes, or PHP wrappers like php://filter and php://input targeting plugin URLs
- Monitor file integrity on wp-content/plugins/mp-restaurant-menu/ and the WordPress uploads directory for new or modified PHP files
- Correlate authenticated session activity with anomalous file inclusion patterns originating from low-privilege accounts
Monitoring Recommendations
- Enable WordPress audit logging for plugin actions, file uploads, and role changes
- Forward web server, PHP-FPM, and WordPress logs to a centralized SIEM for query and correlation
- Alert on web-server-spawned interactive shells or interpreter processes executing from upload directories
How to Mitigate CVE-2025-30846
Immediate Actions Required
- Deactivate the Restaurant Menu by MotoPress plugin on all WordPress installations running version 2.4.4 or earlier until a patched release is applied
- Restrict access to WordPress authenticated endpoints behind a web application firewall with rules blocking path traversal and PHP wrapper schemes
- Audit user accounts and remove unnecessary low-privilege accounts that could be used to authenticate and exploit the flaw
- Review the WordPress filesystem for unauthorized PHP files in upload and plugin directories
Patch Information
At the time of NVD publication, the advisory references the Patchstack Vulnerability Advisory for the disclosure. Administrators should upgrade to any vendor release later than 2.4.4 once published by jetmonsters/MotoPress and validate the fix in a staging environment before production rollout.
Workarounds
- Disable or uninstall the mp-restaurant-menu plugin if the restaurant menu functionality is not business-critical
- Configure PHP open_basedir to constrain file inclusion to a known directory subtree, reducing the reachable filesystem during exploitation
- Set allow_url_include=Off and allow_url_fopen=Off in php.ini to block remote inclusion vectors
- Deploy WAF signatures that block traversal sequences and PHP stream wrappers in requests targeting the plugin
# Example php.ini hardening to limit file inclusion exposure
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
