Cyber Posture

CVE-2025-68901

High

Published: 22 January 2026

Published
22 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0002 5.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68901 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2025-68901 by remediating the path traversal flaw through timely patching or updating of the vulnerable Anona WordPress theme.

SI-10 Information Input Validation good match
prevent

Prevents path traversal exploitation by validating and sanitizing pathname inputs to restrict access to authorized directories only.

SC-7 Boundary Protection partial match
prevent

Deploys boundary protection such as web application firewalls to inspect and block network requests containing path traversal payloads targeting the WordPress theme.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing WordPress theme directly enables remote exploitation (T1190) and arbitrary file deletion for availability impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0.

Deeper analysisAI

CVE-2025-68901 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, corresponding to CWE-22, in the AivahThemes Anona WordPress theme. This issue affects Anona versions from an unspecified starting point through 8.0 inclusive. Published on 2026-01-22, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its high severity due to network accessibility, low attack complexity, and significant availability impact.

Unauthenticated remote attackers (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N) and with low complexity (AC:L). Exploitation enables path traversal, resulting in arbitrary file deletion within the affected WordPress installation. The changed scope (S:C) amplifies the impact, potentially causing high disruption to availability (A:H) such as site downtime, while confidentiality (C:N) and integrity (I:N) remain unaffected.

The primary advisory from Patchstack documents this as an arbitrary file deletion vulnerability specifically in Anona theme version 8.0, available at https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve. Mitigation guidance is provided in the advisory, focusing on addressing the path traversal flaw in the theme.

Details

CWE(s)
CWE-22

CVEs Like This One

CVE-2025-14868Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2024-8898Shared CWE-22
CVE-2025-69376Shared CWE-22
CVE-2025-69097Shared CWE-22
CVE-2025-7359Shared CWE-22
CVE-2026-22448Shared CWE-22
CVE-2026-24970Shared CWE-22
CVE-2024-8769Shared CWE-22
CVE-2025-68912Shared CWE-22

References