CVE-2025-30835: 
WordPress vulnerability analysis and mitigation

The Accounting for WooCommerce WordPress plugin contains a Local File Inclusion vulnerability (CVE-2025-30835) discovered by Dimas Maulana. The vulnerability affects versions up to and including 1.6.8, with a fix released in version 1.6.9. This security flaw allows unauthenticated attackers to include and execute arbitrary files on the server (WPScan, Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It has received a CVSS v3.1 base score of 7.5 (High) from Patchstack with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, while WPScan rates it at 9.8 (Critical). The vulnerability falls under the OWASP Top 10 category A1: Injection (NVD, Patchstack).

The vulnerability enables attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. This can be exploited to bypass access controls, obtain sensitive information such as database credentials, and achieve code execution when 'safe' file types can be uploaded and included (WPScan, Patchstack).

The primary mitigation is to update the Accounting for WooCommerce plugin to version 1.6.9 or later. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking attacks until the update can be applied. The vulnerability was reported on February 17, 2025, with early warnings sent to Patchstack customers on March 27, 2025 (Patchstack).