CVE-2025-30829 identifies a Local File Inclusion (LFI) vulnerability in the Arraytics WPCafe WordPress plugin, specifically versions up to and including 2.2.31. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements within the plugin's codebase. This flaw allows an attacker to manipulate the filename parameter to include arbitrary local files from the server's filesystem. Exploiting this vulnerability can lead to unauthorized disclosure of sensitive files such as configuration files, source code, or credentials, and potentially enable remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability does not require authentication, increasing its risk profile, and can be triggered remotely by sending crafted HTTP requests to the affected plugin endpoints. Although no public exploits have been reported yet, the widespread use of WordPress and the popularity of WPCafe as a restaurant and cafe management plugin make this a significant threat. The absence of a CVSS score indicates the need for a manual severity assessment, which rates this vulnerability as high due to the ease of exploitation and potential impact. The vulnerability was published on March 27, 2025, and is tracked under CVE-2025-30829. No official patches or fixes have been linked yet, emphasizing the need for immediate attention from site administrators.

The impact of CVE-2025-30829 is substantial for organizations using the WPCafe plugin on WordPress sites. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including configuration files containing database credentials or API keys, which compromises confidentiality. Attackers may also execute arbitrary code if they can include files that contain executable PHP code, threatening system integrity and availability. This can result in website defacement, data theft, or full server compromise. For e-commerce or hospitality businesses relying on WPCafe for online ordering and management, such an attack could disrupt operations, damage reputation, and lead to financial losses. The vulnerability's remote exploitation capability without authentication increases the attack surface and risk. Additionally, compromised sites may be used as pivot points for lateral movement within organizational networks or for launching further attacks against customers or partners. Given the plugin's integration with WordPress, a widely deployed CMS, the potential scale of impact is global.

To mitigate CVE-2025-30829, organizations should immediately audit their WordPress installations for the presence of the WPCafe plugin and verify the version in use. Until an official patch is released by Arraytics, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. If disabling is not feasible, implement web application firewall (WAF) rules to block suspicious requests attempting to manipulate include parameters or access sensitive files. Restrict PHP include paths using configuration directives such as open_basedir to limit file inclusion to trusted directories. Employ strict input validation and sanitization on any user-controllable parameters related to file inclusion. Monitor server and application logs for unusual access patterns or errors indicative of LFI attempts. Regularly back up website data and configurations to enable recovery in case of compromise. Stay informed about updates from the vendor and apply patches promptly once available. Additionally, consider deploying runtime application self-protection (RASP) tools that can detect and block file inclusion attacks in real time.