CVE-2025-30782 identifies a Local File Inclusion (LFI) vulnerability in the WordPress plugin 'Subscribe to Download Lite' developed by WP Shuffle, affecting all versions up to and including 1.2.9. The vulnerability stems from improper validation or sanitization of user-supplied input used in PHP include or require statements. This flaw allows an attacker to manipulate the filename parameter to include arbitrary local files from the server's filesystem. Exploiting this vulnerability can lead to disclosure of sensitive files such as configuration files, password files, or other critical data, and in some cases, may enable remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability is classified as a PHP Local File Inclusion issue rather than Remote File Inclusion, indicating that the attacker cannot directly include remote files but can leverage local files on the server. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved on March 26, 2025, and published on April 1, 2025. The plugin is widely used in WordPress environments to manage subscription-based downloads, making it a valuable target for attackers seeking to compromise websites or exfiltrate data. The lack of a patch link suggests that a fix is pending or in development. The vulnerability does not require authentication, increasing its risk profile, and may be triggered via crafted HTTP requests to the plugin's endpoints that handle file inclusion.

The impact of CVE-2025-30782 is significant for organizations running WordPress sites with the vulnerable 'Subscribe to Download Lite' plugin. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including configuration files containing database credentials or API keys, which can further facilitate privilege escalation or data breaches. In some scenarios, attackers might chain this vulnerability with others to achieve remote code execution, leading to full server compromise. This can result in website defacement, data theft, malware distribution, or use of the compromised server as a pivot point for lateral movement within an organization's network. The vulnerability affects the confidentiality and integrity of data and can also impact availability if attackers disrupt services or deploy ransomware. Since WordPress powers a large portion of the web, including e-commerce, government, and enterprise sites, the potential scale of impact is broad. Organizations lacking timely patching or compensating controls are at higher risk, especially those with publicly accessible WordPress installations. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as proof-of-concept code or exploit kits may emerge.

To mitigate CVE-2025-30782, organizations should: 1) Monitor the WP Shuffle plugin repository and official channels for the release of a security patch and apply it immediately upon availability. 2) In the interim, restrict access to the plugin's endpoints by implementing IP whitelisting or authentication controls to limit exposure. 3) Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion patterns or attempts to manipulate include parameters. 4) Conduct code audits or use security scanning tools to identify and remediate unsafe include/require statements if custom modifications exist. 5) Harden the server environment by disabling PHP functions that facilitate file inclusion or execution where feasible (e.g., allow_url_include, allow_url_fopen). 6) Implement strict file system permissions to limit the files accessible by the web server user, reducing the impact of LFI exploitation. 7) Regularly back up website data and configurations to enable rapid recovery in case of compromise. 8) Educate development and operations teams about secure coding practices related to file inclusion and input validation. These steps collectively reduce the attack surface and limit the potential damage from exploitation.