CVE-2025-69379
Published: 20 February 2026
Summary
CVE-2025-69379 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69379 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the WordPress plugin Upload Files Anywhere (wp-upload-files-anywhere). This issue affects the plugin from unknown initial versions through version 2.8. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Unauthenticated attackers with network access can exploit this path traversal flaw with low attack complexity and no user interaction required. The changed scope (S:C) enables remote exploitation leading to high-impact denial of service, such as arbitrary file deletion on the targeted WordPress site.
Patchstack advisories document this as an arbitrary file deletion vulnerability specifically in Upload Files Anywhere plugin version 2.8, with details available in their vulnerability database.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207962
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) leading directly to arbitrary file deletion for denial-of-service impact (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation and error handling of inputs at critical entry points like the file upload function, directly preventing path traversal exploitation in the WordPress plugin.
SI-9 enforces restrictions on inputs such as filenames and paths, blocking traversal sequences like '../' that enable arbitrary file deletion.
SI-2 mandates identification and timely remediation of flaws, directly addressing this CVE by patching the Upload Files Anywhere plugin beyond version 2.8.