CVE-2025-30594
📋 TL;DR
This path traversal vulnerability in the WordPress Include URL plugin allows attackers to download arbitrary files from the server by manipulating URL parameters. It affects all WordPress sites using Include URL plugin versions 0.3.5 and earlier. Attackers can potentially access sensitive files like configuration files, password files, or source code.
💻 Affected Systems
- WordPress Include URL plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through retrieval of sensitive configuration files (like wp-config.php containing database credentials), followed by database access, privilege escalation, or lateral movement within the network.
Likely Case
Exfiltration of sensitive files including configuration files, password hashes, or source code, potentially leading to credential theft, data breaches, or further exploitation.
If Mitigated
Limited impact with proper file permissions and web server configurations that restrict access to sensitive directories and files.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.6 or later
Vendor Advisory: https://patchstack.com/database/wordpress/plugin/include-url/vulnerability/wordpress-include-url-0-3-5-arbitrary-file-download-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Include URL' plugin
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 0.3.6+ from WordPress repository
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Include URL Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate include-url
Web Server Path Restriction
linuxConfigure web server to block directory traversal attempts
# For Apache: Add to .htaccess
RewriteCond %{REQUEST_URI} \.\. [NC]
RewriteRule .* - [F]
# For Nginx: Add to server block
location ~*\.\. { deny all; }
🧯 If You Can't Patch
- Immediately disable or remove the Include URL plugin from all WordPress installations
- Implement web application firewall (WAF) rules to block path traversal patterns and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Include URL version. If version is 0.3.5 or earlier, system is vulnerable.Check Version:
wp plugin get include-url --field=versionVerify Fix Applied:
Verify Include URL plugin version is 0.3.6 or later in WordPress admin panel. Test with known safe path traversal attempts that should be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '..' or '../' patterns to Include URL endpoints
- Unusual file access patterns from web server logs
- Multiple failed attempts to access sensitive file paths
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)
- Unusual outbound traffic following file access attempts
SIEM Query:
source="web_server_logs" AND (uri="*..*" OR uri="*%2e%2e*" OR uri="*../*") AND uri="*include-url*"