Plattform
wordpress
Komponente
anona
Behoben in
8.0.1
CVE-2025-68902 describes an Arbitrary File Access vulnerability within the Anona WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 8.0. A fix is pending, requiring immediate mitigation strategies.
The Arbitrary File Access vulnerability in Anona allows an attacker to bypass intended access restrictions and read arbitrary files on the server. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the entire server. The attacker could gain access to critical system information, leading to further attacks or data theft. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for sensitive data to be stored within WordPress plugins.
CVE-2025-68902 was published on 2026-01-22. The vulnerability's severity is considered HIGH (CVSS 7.5). Currently, there are no publicly known proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. Active exploitation is not confirmed, but the ease of exploitation inherent in path traversal vulnerabilities suggests a potential for rapid exploitation once a PoC is released.
WordPress sites using the Anona plugin, particularly those with default configurations or shared hosting environments, are at increased risk. Sites that haven't implemented robust file access controls or regularly scan for vulnerabilities are also more vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/anona/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/anona/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive --all | grep anonadisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
Since a patched version of Anona is not yet available, immediate mitigation steps are crucial. The primary recommendation is to restrict file access permissions on the server to minimize the potential damage from a successful exploit. Implement strict access controls within the WordPress environment, limiting the ability of users to upload or modify files. Consider using a Web Application Firewall (WAF) to filter requests and block attempts to access files outside of the intended directories. Monitor server logs for suspicious file access attempts. After a patched version is released, upgrade Anona immediately. Verify the fix by attempting to access files outside the intended directories and confirming that access is denied.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68902 is a HIGH severity vulnerability in the Anona WordPress plugin allowing attackers to read arbitrary files on the server through path traversal. It affects versions 0.0.0 through 8.0.
If you are using the Anona WordPress plugin in versions 0.0.0 through 8.0, you are potentially affected by this vulnerability. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the Anona plugin. Until a patch is released, consider temporary workarounds like WAF rules and restricting file access permissions.
As of the publication date, there is no confirmed active exploitation of CVE-2025-68902, but the vulnerability's nature suggests potential for exploitation.
Refer to the AivahThemes website and WordPress plugin repository for official advisories and updates related to CVE-2025-68902.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.