Platform
wordpress
Component
hostmev2
Fixed in
7.0.1
CVE-2025-68907 describes an Arbitrary File Access vulnerability within AivahThemes Hostme v2, a WordPress theme. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of Hostme v2 from 0.0.0 up to and including 7.0 are affected. A fix is expected from the vendor.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. A successful exploit could lead to the disclosure of sensitive information such as configuration files, database credentials, or even source code. Depending on the files accessible, this could enable further compromise of the WordPress site and potentially the underlying server. While this vulnerability doesn't directly lead to remote code execution, the information gained could be used to identify and exploit other vulnerabilities.
CVE-2025-68907 was publicly disclosed on 2026-01-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories from AivahThemes and WordPress security communities for updates.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Hostme v2 to a patched version as soon as it becomes available from AivahThemes. In the interim, implement a Web Application Firewall (WAF) with rules to filter out malicious path traversal attempts. Specifically, look for patterns like '../' or '\..' in user-supplied input. Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. Regularly review WordPress plugin configurations for any unusual file access patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68907 is a vulnerability in Hostme v2 allowing attackers to read files outside of intended directories via path manipulation. It's rated HIGH severity (CVSS 7.5) and affects versions 0.0.0 through 7.0.
If you are using Hostme v2 version 0.0.0 to 7.0 on your WordPress site, you are potentially affected. Check for updates from AivahThemes immediately.
Upgrade Hostme v2 to the latest patched version as soon as it's released by AivahThemes. Implement WAF rules to block path traversal attempts as an interim measure.
As of now, there are no confirmed reports of active exploitation of CVE-2025-68907, but it's crucial to apply mitigations proactively.
Check the AivahThemes website and WordPress plugin repository for updates and security advisories related to Hostme v2 and CVE-2025-68907.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.