CVE-2025-30845 identifies a Local File Inclusion (LFI) vulnerability in the webangon The Pack Elementor addons plugin for WordPress, specifically versions up to 2.1.1. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to include arbitrary local files on the server, potentially leading to sensitive information disclosure, code execution, or server compromise. The vulnerability is classified as a PHP Remote File Inclusion type but is technically a Local File Inclusion since it involves local files. The plugin fails to properly sanitize or validate user-supplied input before including files, which is a common security oversight in PHP applications. Although no public exploits have been reported, the vulnerability is publicly disclosed and documented in the CVE database. The lack of a CVSS score indicates that the vulnerability is newly published and may not yet have undergone full severity assessment. The vulnerability affects a widely used WordPress addon, which integrates with the popular Elementor page builder, increasing the potential attack surface. The attacker can exploit this vulnerability remotely by sending crafted HTTP requests to the vulnerable plugin endpoints, without requiring authentication or user interaction. This makes the vulnerability particularly dangerous in publicly accessible WordPress sites. The improper file inclusion can lead to disclosure of sensitive files such as configuration files, password files, or even allow remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability was reserved and published in March 2025 by Patchstack, a known security researcher and vendor in the WordPress ecosystem. No patches or fixes are currently linked, indicating that users must monitor vendor updates or apply temporary mitigations.

The impact of CVE-2025-30845 on organizations worldwide can be significant, especially for those relying on WordPress sites using The Pack Elementor addons. Successful exploitation can lead to unauthorized disclosure of sensitive data, including configuration files, credentials, or other critical information stored on the server. Additionally, attackers may execute arbitrary code, leading to full server compromise, defacement, or use of the server as a pivot point for further attacks. This can result in data breaches, service disruption, reputational damage, and compliance violations. Since WordPress powers a large portion of the web, and Elementor is a popular page builder, the attack surface is broad. Organizations with public-facing websites using this plugin are particularly vulnerable. The ease of exploitation without authentication increases risk, making automated scanning and exploitation plausible. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's public disclosure may prompt attackers to develop exploits rapidly. The impact extends to hosting providers, managed WordPress services, and enterprises using the plugin for marketing or e-commerce sites. Overall, the threat poses a high risk to confidentiality, integrity, and availability of affected systems.

To mitigate CVE-2025-30845, organizations should first verify if they use The Pack Elementor addons plugin, particularly versions up to 2.1.1. Immediate steps include disabling or removing the vulnerable plugin if it is not essential. If the plugin is required, monitor the vendor's official channels for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, implement web application firewall (WAF) rules to detect and block suspicious requests attempting to exploit file inclusion, such as those containing directory traversal sequences or unusual file path parameters. Restrict access to plugin endpoints by IP whitelisting or authentication where feasible. Harden PHP configurations by disabling dangerous functions like include(), require(), or limiting file system access with open_basedir restrictions. Conduct regular security audits and scanning for signs of exploitation or anomalous file access. Educate site administrators on the risks of installing unverified plugins and maintaining updated software. Backup website data regularly to enable recovery in case of compromise. Finally, consider using security plugins that monitor file integrity and block malicious payloads targeting WordPress vulnerabilities.