Cyber Resilience

CVE-2025-69379

High

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0037 28.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69379 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69379 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the WordPress plugin Upload Files Anywhere (wp-upload-files-anywhere). This issue affects the plugin from unknown initial versions through version 2.8. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Unauthenticated attackers with network access can exploit this path traversal flaw with low attack complexity and no user interaction required. The changed scope (S:C) enables remote exploitation leading to high-impact denial of service, such as arbitrary file deletion on the targeted WordPress site.

Patchstack advisories document this as an arbitrary file deletion vulnerability specifically in Upload Files Anywhere plugin version 2.8, with details available in their vulnerability database.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) leading directly to arbitrary file deletion for denial-of-service impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24970Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2026-45230Shared CWE-22
CVE-2025-68901Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2025-26540Shared CWE-22
CVE-2025-7359Shared CWE-22
CVE-2026-22448Shared CWE-22
CVE-2025-21622Shared CWE-22
CVE-2025-14868Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and error handling of inputs at critical entry points like the file upload function, directly preventing path traversal exploitation in the WordPress plugin.

prevent

SI-9 enforces restrictions on inputs such as filenames and paths, blocking traversal sequences like '../' that enable arbitrary file deletion.

prevent

SI-2 mandates identification and timely remediation of flaws, directly addressing this CVE by patching the Upload Files Anywhere plugin beyond version 2.8.

References