Platform
wordpress
Component
anona
Fixed in
8.0.1
CVE-2025-68902 describes an Arbitrary File Access vulnerability within the Anona WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 8.0. A patch is expected to be released by the vendor.
The Arbitrary File Access vulnerability in Anona allows an attacker to read arbitrary files from the web server's file system. By crafting malicious requests with manipulated file paths, an attacker can bypass intended access controls and retrieve sensitive information. This could include configuration files containing database credentials, source code, or other confidential data. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server, enabling further malicious activities such as data exfiltration or code execution if combined with other vulnerabilities.
As of the publication date (2026-01-22), exploitation context is limited. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (POC) code is not yet available, but the nature of path traversal vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68902 is to upgrade to a patched version of the Anona plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal sequences (e.g., ../), and carefully reviewing the plugin's code for potential vulnerabilities. Regularly scan your WordPress installation for known vulnerabilities using security plugins.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68902 is a HIGH severity vulnerability in the Anona WordPress plugin allowing attackers to read arbitrary files on the server through path traversal. It affects versions 0.0.0 through 8.0.
If you are using the Anona WordPress plugin in versions 0.0.0 through 8.0, you are potentially affected by this vulnerability. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the Anona plugin. Until a patch is released, consider temporary workarounds like WAF rules and restricting file access permissions.
As of the publication date, there is no confirmed active exploitation of CVE-2025-68902, but the vulnerability's nature suggests potential for exploitation.
Refer to the AivahThemes website and WordPress plugin repository for official advisories and updates related to CVE-2025-68902.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.