Vulnerability-Lookup

CVE-2025-30890 (GCVE-0-2025-30890)

Vulnerability from cvelistv5 – Published: 2025-03-27 10:55 – Updated: 2026-04-23 14:06

Title

WordPress Login Widget for Ultimate Member plugin <= 1.1.2 - Local File Inclusion vulnerability

Summary

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.This issue affects Login Widget for Ultimate Member: from n/a through <= 1.1.2.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Assigner

Patchstack

References

URL

Tags

https://patchstack.com/database/Wordpress/Plugin/…

vdb-entry

Impacted products

	Vendor	Product	Version
	SuitePlugins	Login Widget for Ultimate Member	Affected: 0 , ≤ 1.1.2 (custom)

Date Public ?

2026-04-22 14:31

Credits

Muhammad Yudha - DJ | Patchstack Bug Bounty Program

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30890",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T16:08:52.991918Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T16:13:41.091Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "login-widget-for-ultimate-member",
          "product": "Login Widget for Ultimate Member",
          "vendor": "SuitePlugins",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-22T14:31:28.893Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.This issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "PHP Local File Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T14:06:59.202Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Login Widget for Ultimate Member plugin \u003c= 1.1.2 - Local File Inclusion vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-30890",
    "datePublished": "2025-03-27T10:55:44.222Z",
    "dateReserved": "2025-03-26T09:21:23.220Z",
    "dateUpdated": "2026-04-23T14:06:59.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-30890",
      "date": "2026-04-25",
      "epss": "0.00423",
      "percentile": "0.62181"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-30890\",\"sourceIdentifier\":\"audit@patchstack.com\",\"published\":\"2025-03-27T11:15:49.920\",\"lastModified\":\"2026-04-23T15:27:16.373\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.This issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de control incorrecto del nombre de archivo para la instrucci\u00f3n Include/Require en un programa PHP (\u0027Inclusi\u00f3n remota de archivos en PHP\u0027) en SuitePlugins Login Widget for Ultimate Member permite la inclusi\u00f3n local de archivos en PHP. Este problema afecta al widget de inicio de sesi\u00f3n de Ultimate Member desde n/d hasta la versi\u00f3n 1.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-98\"}]}],\"references\":[{\"url\":\"https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve\",\"source\":\"audit@patchstack.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30890\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-27T16:08:52.991918Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-27T16:09:25.647Z\"}}], \"cna\": {\"title\": \"WordPress Login Widget for Ultimate Member plugin \u003c= 1.1.2 - Local File Inclusion vulnerability\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Muhammad Yudha - DJ | Patchstack Bug Bounty Program\"}], \"impacts\": [{\"capecId\": \"CAPEC-252\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"PHP Local File Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SuitePlugins\", \"product\": \"Login Widget for Ultimate Member\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"1.1.3\", \"status\": \"unaffected\"}], \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.1.2\"}], \"packageName\": \"login-widget-for-ultimate-member\", \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-04-22T14:31:28.893Z\", \"references\": [{\"url\": \"https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve\", \"tags\": [\"vdb-entry\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.This issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-98\", \"description\": \"Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2026-04-23T14:06:59.202Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-30890\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-23T14:06:59.202Z\", \"dateReserved\": \"2025-03-26T09:21:23.220Z\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"datePublished\": \"2025-03-27T10:55:44.222Z\", \"assignerShortName\": \"Patchstack\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-FHPG-4J4X-74CV

Vulnerability from github – Published: 2025-03-27 12:30 – Updated: 2026-04-01 18:34

Details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SuitePlugins Login Widget for Ultimate Member allows PHP Local File Inclusion. This issue affects Login Widget for Ultimate Member: from n/a through 1.1.2.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-30890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-98"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T11:15:49Z",
    "severity": "HIGH"
  },
  "details": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member allows PHP Local File Inclusion. This issue affects Login Widget for Ultimate Member: from n/a through 1.1.2.",
  "id": "GHSA-fhpg-4j4x-74cv",
  "modified": "2026-04-01T18:34:08Z",
  "published": "2025-03-27T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30890"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2025-30890

Vulnerability from fkie_nvd - Published: 2025-03-27 11:15 - Updated: 2026-04-23 15:27

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	audit@patchstack.com	https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in SuitePlugins Login Widget for Ultimate Member login-widget-for-ultimate-member allows PHP Local File Inclusion.This issue affects Login Widget for Ultimate Member: from n/a through \u003c= 1.1.2."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de control incorrecto del nombre de archivo para la instrucci\u00f3n Include/Require en un programa PHP (\u0027Inclusi\u00f3n remota de archivos en PHP\u0027) en SuitePlugins Login Widget for Ultimate Member permite la inclusi\u00f3n local de archivos en PHP. Este problema afecta al widget de inicio de sesi\u00f3n de Ultimate Member desde n/d hasta la versi\u00f3n 1.1.2."
    }
  ],
  "id": "CVE-2025-30890",
  "lastModified": "2026-04-23T15:27:16.373",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "audit@patchstack.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-27T11:15:49.920",
  "references": [
    {
      "source": "audit@patchstack.com",
      "url": "https://patchstack.com/database/Wordpress/Plugin/login-widget-for-ultimate-member/vulnerability/wordpress-login-widget-for-ultimate-member-plugin-1-1-2-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "sourceIdentifier": "audit@patchstack.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-98"
        }
      ],
      "source": "audit@patchstack.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-30890 (GCVE-0-2025-30890)

GHSA-FHPG-4J4X-74CV

FKIE_CVE-2025-30890

Tags

Sightings

Nomenclature