CVE-2025-30849 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-30849?

CVE-2025-30849 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Essential Real Estate WordPress plugin. Attackers can potentially read sensitive files or execute arbitrary code. All WordPress sites running affected versions of the Essential Real Estate plugin are vulnerable.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Essential Real Estate WordPress plugin. Attackers can potentially read sensitive files or execute arbitrary code. All WordPress sites running affected versions of the Essential Real Estate plugin are vulnerable.

💻 Affected Systems

Products:

Essential Real Estate WordPress Plugin

Versions: n/a through 5.2.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Essential Real Estate by G5plus

View all CVEs affecting Essential Real Estate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution leading to data theft, website defacement, or malware installation.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution within web server context.

🟢

If Mitigated

File read limited to web-accessible directories if proper file permissions and security controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of vulnerable parameters and paths. Public proof-of-concept code exists in vulnerability databases.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.1 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-0-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Essential Real Estate plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 5.2.1+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate essential-real-estate

Web Application Firewall Rule

linux

Block requests containing local file inclusion patterns

ModSecurity rule: SecRule ARGS "\.\./" "phase:2,deny,status:403,id:1001"

🧯 If You Can't Patch

Implement strict file permissions (chmod 644 for files, 755 for directories)
Use web application firewall to block directory traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Essential Real Estate → Version number. If version is 5.2.0 or earlier, you are vulnerable.

Check Version:

wp plugin get essential-real-estate --field=version

Verify Fix Applied:

Verify plugin version is 5.2.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ patterns in parameters
PHP include/require errors in web server logs
Access to unusual files like /etc/passwd from web requests

Network Indicators:

HTTP GET/POST requests with file path parameters
Unusual file extensions in URL parameters

SIEM Query:

source="web_logs" AND (uri="*../*" OR params="*../*")

📊 Metadata

CVE ID: CVE-2025-30849

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.55% exploit probability (67.3th percentile)

Published: April 1, 2025

Last Updated: May 27, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-0-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30849, you might also want to check these: