{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69379", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:05.452Z", "datePublished": "2026-02-20T15:46:53.230Z", "dateUpdated": "2026-04-28T20:57:05.997Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "wp-upload-files-anywhere", "product": "Upload Files Anywhere", "vendor": "vanquish", "versions": [{"lessThanOrEqual": "2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:12.731Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.<p>This issue affects Upload Files Anywhere: from n/a through <= 2.8.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.776Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-upload-files-anywhere/vulnerability/wordpress-upload-files-anywhere-plugin-2-8-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Upload Files Anywhere plugin <= 2.8 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T15:11:49.453491Z", "id": "CVE-2025-69379", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:57:05.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69379", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T15:11:49.453491Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:11:03.623Z"}}], "cna": {"title": "WordPress Upload Files Anywhere plugin <= 2.8 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "affected": [{"vendor": "vanquish", "product": "Upload Files Anywhere", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8"}], "packageName": "wp-upload-files-anywhere", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:12.731Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-upload-files-anywhere/vulnerability/wordpress-upload-files-anywhere-plugin-2-8-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.<p>This issue affects Upload Files Anywhere: from n/a through <= 2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:26.017Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69379", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:26.017Z", "dateReserved": "2025-12-31T20:13:05.452Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:53.230Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8."}, {"lang": "es", "value": "Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') vulnerabilidad en vanquish Upload Files Anywhere wp-upload-files-anywhere permite Salto de Ruta. Este problema afecta a Upload Files Anywhere: desde n/a hasta &lt;= 2.8."}], "id": "CVE-2025-69379", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:22.443", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-upload-files-anywhere/vulnerability/wordpress-upload-files-anywhere-plugin-2-8-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Upload Files Anywhere", "source": "cna", "vendor": "vanquish"}, "product": "upload_files_anywhere", "vendor": "vanquish"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:28:35.798300+00:00", "value": {"mitigation_remediation": ["Upgrade Upload Files Anywhere to a version newer than 2.8, or apply any vendor-published patch that fixes the Path Traversal issue.", "If an upgrade is not immediately possible, disable the file deletion functionality in the plugin settings, or restrict the endpoint so that only trusted administrators can invoke it.", "Restrict file system permissions so that the web server\u2019s user account cannot write to critical directories and validate that all uploaded files are stored in a dedicated, non-executable directory."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Upload Files Anywhere plugin version 2.8 or earlier are affected. The plugin is available through WordPress and is used by site administrators to manage uploaded files.", "description_and_impact": "The vulnerability in vanquish Upload Files Anywhere is a Path Traversal flaw that allows an attacker to bypass directory restrictions and delete any file on the server. This weakness can lead to unauthorized removal of critical files, thereby compromising the website\u2019s integrity and availability. The issue is classified as CWE\u201122, indicating improper limitation of a pathname to a restricted directory.", "risk_and_exploitability": "The CVSS score of 8.6 marks this flaw as having high severity. The EPSS score of less than 1% indicates that exploitation is unlikely, but not impossible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most likely attack vector involves sending a crafted HTTP request to the plugin\u2019s file deletion endpoint, which may be accessible to authenticated users with permission to manage files. If successful, an attacker could delete arbitrary files, potentially leading to site downtime or loss of essential data."}}}}, "created": "2026-02-23T14:37:14.789273+00:00", "updated": "2026-04-28T09:30:26.220491+00:00", "vendors": ["vanquish", "vanquish$PRODUCT$upload_files_anywhere", "wordpress", "wordpress$PRODUCT$wordpress"]}