Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.
Published: 2026-02-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in vanquish Upload Files Anywhere is a Path Traversal flaw that allows an attacker to bypass directory restrictions and delete any file on the server. This weakness can lead to unauthorized removal of critical files, thereby compromising the website’s integrity and availability. The issue is classified as CWE‑22, indicating improper limitation of a pathname to a restricted directory.

Affected Systems

WordPress sites that have installed the Upload Files Anywhere plugin version 2.8 or earlier are affected. The plugin is available through WordPress and is used by site administrators to manage uploaded files.

Risk and Exploitability

The CVSS score of 8.6 marks this flaw as having high severity. The EPSS score of less than 1% indicates that exploitation is unlikely, but not impossible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most likely attack vector involves sending a crafted HTTP request to the plugin’s file deletion endpoint, which may be accessible to authenticated users with permission to manage files. If successful, an attacker could delete arbitrary files, potentially leading to site downtime or loss of essential data.

Generated by OpenCVE AI on April 28, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Upload Files Anywhere to a version newer than 2.8, or apply any vendor-published patch that fixes the Path Traversal issue.
  • If an upgrade is not immediately possible, disable the file deletion functionality in the plugin settings, or restrict the endpoint so that only trusted administrators can invoke it.
  • Restrict file system permissions so that the web server’s user account cannot write to critical directories and validate that all uploaded files are stored in a dedicated, non-executable directory.

Generated by OpenCVE AI on April 28, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vanquish
Vanquish upload Files Anywhere
Wordpress
Wordpress wordpress
Vendors & Products Vanquish
Vanquish upload Files Anywhere
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.
Title WordPress Upload Files Anywhere plugin <= 2.8 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Vanquish Upload Files Anywhere
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:57:05.997Z

Reserved: 2025-12-31T20:13:05.452Z

Link: CVE-2025-69379

cve-icon Vulnrichment

Updated: 2026-02-25T15:11:03.623Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:22.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:30:26Z

Weaknesses