Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30895

CVE-2025-30895: WpEvently Path Traversal Vulnerability

CVE-2025-30895 is a path traversal flaw in WpEvently mage-eventpress plugin that enables PHP local file inclusion attacks. This article covers the technical details, affected versions up to 4.2.9, and mitigation steps.

Published:

CVE-2025-30895 Overview

CVE-2025-30895 is a path traversal vulnerability [CWE-22] in the magepeopleteam WpEvently (mage-eventpress) WordPress plugin. The flaw allows authenticated attackers to perform PHP Local File Inclusion (LFI) by manipulating file path parameters. The vulnerability affects all WpEvently versions up to and including 4.2.9. Attackers with low-privilege access can include arbitrary PHP files on the server, potentially leading to code execution, sensitive data disclosure, and full site compromise.

Critical Impact

Authenticated attackers can traverse directories to include and execute arbitrary PHP files on the WordPress server, compromising confidentiality, integrity, and availability of affected installations.

Affected Products

  • magepeopleteam WpEvently (mage-eventpress) WordPress plugin
  • All versions from n/a through 4.2.9
  • WordPress sites with the vulnerable plugin installed and activated

Discovery Timeline

  • 2025-03-27 - CVE-2025-30895 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-30895

Vulnerability Analysis

The vulnerability stems from improper limitation of a pathname to a restricted directory within the WpEvently plugin. The plugin accepts user-supplied input used to construct file paths without adequate sanitization or validation. Attackers can supply path traversal sequences such as ../ to escape the intended directory and reference arbitrary files on the filesystem.

When the constructed path is passed to a PHP file inclusion function such as include or require, the referenced file is executed in the PHP context. This converts a directory traversal flaw into a Local File Inclusion vulnerability with code execution potential. The EPSS score of 0.698% reflects measurable exploitation likelihood for this class of WordPress plugin flaw.

Root Cause

The root cause is missing input validation on parameters that influence file path construction. The plugin trusts authenticated user input when resolving file locations. No canonicalization or allowlist check prevents traversal sequences from resolving outside the plugin's intended directory boundary.

Attack Vector

Exploitation requires network access and low-level authenticated privileges on the target WordPress instance. An attacker sends a crafted HTTP request containing path traversal payloads to a vulnerable plugin endpoint. The server resolves the manipulated path and includes the targeted PHP file. Refer to the Patchstack advisory for technical specifics.

Detection Methods for CVE-2025-30895

Indicators of Compromise

  • HTTP requests to WpEvently plugin endpoints containing ../ sequences or URL-encoded variants such as %2e%2e%2f
  • Access log entries referencing PHP files outside the wp-content/plugins/mage-eventpress/ directory
  • Unexpected PHP execution events originating from the WpEvently plugin context
  • Inclusion attempts targeting sensitive files such as wp-config.php or system paths like /etc/passwd

Detection Strategies

  • Inspect WordPress and web server access logs for traversal patterns in query parameters or POST bodies targeting plugin endpoints
  • Deploy Web Application Firewall (WAF) rules that detect directory traversal sequences in requests to /wp-content/plugins/mage-eventpress/
  • Monitor PHP error logs for failed include or require statements referencing unusual file paths

Monitoring Recommendations

  • Enable verbose logging on the WordPress site to capture authenticated user actions involving the WpEvently plugin
  • Alert on PHP file access patterns that deviate from the plugin's expected file inventory
  • Track creation or modification of PHP files in upload directories that could be referenced via the LFI flaw

How to Mitigate CVE-2025-30895

Immediate Actions Required

  • Update the WpEvently (mage-eventpress) plugin to a version above 4.2.9 once the vendor releases a patched release
  • Disable or remove the WpEvently plugin if a patched version is not yet available and the functionality is not essential
  • Audit WordPress user accounts and revoke unnecessary privileges to reduce the pool of potential attackers
  • Review web server and plugin logs for evidence of prior exploitation attempts

Patch Information

Consult the Patchstack WordPress Plugin Vulnerability database and the magepeopleteam vendor channels for the latest fixed release. Apply the update across all WordPress instances running the plugin and verify the installed version after patching.

Workarounds

  • Place a WAF rule that blocks requests containing ../, ..%2f, or %2e%2e sequences targeting WpEvently endpoints
  • Restrict PHP open_basedir in php.ini to confine file inclusion to the WordPress installation directory
  • Enforce least-privilege roles for authenticated users to limit access to plugin functionality
  • Apply virtual patching through Patchstack or an equivalent WordPress protection service until the vendor patch is available
bash
# Example php.ini hardening to constrain file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "system,exec,shell_exec,passthru"
allow_url_include = Off
allow_url_fopen = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne