CVE-2025-30895: 
WordPress vulnerability analysis and mitigation

A path traversal vulnerability has been identified in magepeopleteam's WpEvently WordPress plugin, tracked as CVE-2025-30895. The vulnerability affects versions through 4.2.9 and allows PHP Local File Inclusion. This security issue was discovered and reported on February 11, 2025, and was publicly disclosed on March 27, 2025 (Patchstack, NVD).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') issue. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-22, which relates to improper path validation (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 4.3.0 of the WpEvently plugin. Users are advised to update to this version or later to remove the vulnerability. The issue is considered to have a low severity impact and is deemed unlikely to be exploited (Patchstack).