CVE-2025-30890 is a security vulnerability identified in the SuitePlugins Login Widget for Ultimate Member, a WordPress plugin used to manage user login functionality. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, which leads to a Local File Inclusion (LFI) flaw. LFI vulnerabilities allow attackers to trick the application into including files from the local server filesystem, which can lead to arbitrary code execution, information disclosure, or further compromise of the server environment. This specific vulnerability affects versions up to and including 1.1.2 of the plugin. The issue is due to insufficient validation or sanitization of user-supplied input that controls the file path in the include/require statement. Although no public exploits have been reported yet, the vulnerability is critical because it can be exploited remotely without authentication or user interaction, depending on the plugin’s configuration and exposure. The lack of a CVSS score means severity must be assessed based on the potential impact on confidentiality, integrity, and availability, as well as ease of exploitation. This vulnerability is particularly concerning for websites using the Ultimate Member plugin, which is popular among WordPress sites for user management, thus potentially affecting a large number of websites globally. The vulnerability was published on March 27, 2025, and no official patch links have been provided yet, so immediate mitigation steps are necessary to reduce risk.

The impact of CVE-2025-30890 can be severe for organizations running WordPress sites with the vulnerable Login Widget for Ultimate Member plugin. Exploitation of this Local File Inclusion vulnerability can lead to unauthorized disclosure of sensitive files such as configuration files, password files, or other critical data stored on the server. Attackers may also leverage this flaw to execute arbitrary PHP code, leading to full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks. The vulnerability threatens confidentiality by exposing sensitive data, integrity by allowing code execution and modification of files, and availability if attackers disrupt services. Since the plugin is used in user authentication workflows, compromise could also lead to user account takeover or privilege escalation. The widespread use of WordPress globally means that many organizations, including small businesses, e-commerce sites, and enterprises, could be affected. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and potential impact make this a high-risk issue.

1. Immediately monitor and audit web server logs for suspicious include or require requests that may indicate attempted exploitation. 2. Apply strict input validation and sanitization on any parameters controlling file paths in the plugin’s code, restricting inputs to a whitelist of allowed filenames or directories. 3. Implement web application firewall (WAF) rules to detect and block attempts to exploit file inclusion vulnerabilities, such as requests containing directory traversal sequences or suspicious file extensions. 4. Restrict file system permissions to limit the plugin’s ability to read or execute files outside its intended directories. 5. Disable or restrict PHP functions like include, require, or allow_url_include if not necessary. 6. Keep the WordPress core, plugins, and themes updated; monitor SuitePlugins for an official patch release for this vulnerability and apply it promptly once available. 7. Consider temporarily disabling the vulnerable plugin if patching is not immediately possible and if it does not critically impact site functionality. 8. Educate developers and administrators about secure coding practices related to file inclusion and input validation to prevent similar issues in the future.