CVE-2025-30846 identifies a Local File Inclusion (LFI) vulnerability in the Restaurant Menu by MotoPress plugin, versions up to and including 2.4.4. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements within the plugin's codebase. This flaw allows an attacker to manipulate the input controlling which files are included, enabling them to include arbitrary local files on the web server. Such an inclusion can lead to disclosure of sensitive files (e.g., configuration files, password files), execution of malicious code, or even full server compromise if combined with other vulnerabilities. The issue is classified as a PHP Remote File Inclusion type but specifically manifests as Local File Inclusion due to the nature of the vulnerability. There are no known public exploits or patches at the time of publication, and the vulnerability was reserved and published in March 2025. The plugin is commonly used on WordPress sites for managing restaurant menus, making it a target for attackers seeking to exploit hospitality industry websites. The vulnerability does not require authentication but does require the attacker to craft specific requests to manipulate the include filename parameter. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The impact of CVE-2025-30846 is significant for organizations using the affected plugin. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including database credentials and configuration files, which can facilitate further attacks. Attackers may execute arbitrary code or commands on the server, leading to website defacement, data theft, or full server takeover. This compromises confidentiality, integrity, and availability of the affected systems. For businesses in the hospitality sector relying on the plugin for online menu management, this could result in reputational damage, loss of customer trust, and potential regulatory penalties if customer data is exposed. The vulnerability's ease of exploitation without authentication increases the risk, especially for publicly accessible websites. Although no known exploits exist yet, the widespread use of the plugin and the critical nature of the flaw make it a high-risk threat globally.

1. Monitor the vendor's official channels for patches or updates addressing CVE-2025-30846 and apply them immediately upon release. 2. Until a patch is available, restrict access to the plugin's functionality by limiting permissions and using web application firewalls (WAFs) to detect and block suspicious requests targeting file inclusion parameters. 3. Implement strict input validation and sanitization on all user-supplied inputs that influence file inclusion or path parameters to prevent manipulation. 4. Disable PHP functions that allow file inclusion if not required, such as include(), require(), or use PHP configuration directives to restrict file access. 5. Conduct regular security audits and code reviews of customizations or third-party plugins to identify similar vulnerabilities. 6. Employ intrusion detection systems (IDS) to monitor for anomalous activity indicative of exploitation attempts. 7. Backup website data and configurations regularly to enable rapid recovery in case of compromise. 8. Educate development and IT teams about secure coding practices related to file inclusion and parameter handling.