CVE-2025-30846: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-30846) is a Local File Inclusion vulnerability affecting the Restaurant Menu by MotoPress WordPress plugin versions through 2.4.4. The vulnerability was discovered by muhammad yudha and was publicly disclosed on March 27, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'). It has received a CVSS v3.1 Base Score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-98 (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their output on the screen. Particularly sensitive files containing credentials, such as database configurations, could potentially be exposed, leading to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 2.4.5 of the Restaurant Menu by MotoPress plugin. Users are advised to update to version 2.4.5 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).