Path Traversal Vulnerability in Upload Files Anywhere Plugin by Vanquish
CVE-2025-69380

7.5HIGH

Key Information:

Vendor: WordPress
Status: Upload Files Anywhere
Vendor: CVE Published:; 20 February 2026

What is CVE-2025-69380?

A vulnerability exists in the Upload Files Anywhere plugin developed by Vanquish, allowing attackers to exploit improper limitations on pathname restrictions. This flaw enables unauthorized access to sensitive files on the host server. The affected versions range from n/a up to and including version 2.8. To safeguard your WordPress site, it is crucial to update to the latest version and apply any necessary security patches to mitigate the risk of arbitrary file access.

Affected Version(s)

Upload Files Anywhere 0 <= 2.8

References

https://patchstack.com/database/Wordpress/Plugin/wp-uploa...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Dec 31, 2025

Credit

Phat RiO | Patchstack Bug Bounty Program

CVE-2025-69380 Data

JSON