Platform
wordpress
Component
hdforms
Fixed in
1.6.2
CVE-2025-68912 describes an Arbitrary File Access vulnerability within the HDForms WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths, leading to sensitive data exposure. The vulnerability impacts versions 0.0.0 through 1.6.1 of HDForms, and a fix is available in version 1.6.2.
The Arbitrary File Access vulnerability in HDForms allows an attacker to bypass intended security restrictions and access files outside of the intended directory. By crafting malicious requests with carefully constructed file paths, an attacker can potentially retrieve configuration files, source code, or other sensitive data stored on the server. This could lead to the exposure of database credentials, API keys, or other confidential information. The blast radius extends to any data accessible by the web server process, potentially compromising the entire WordPress installation and any connected systems. While there's no direct precedent for this specific vulnerability, path traversal flaws are frequently exploited in web applications, often leading to significant data breaches.
CVE-2025-68912 was published on 2026-01-22. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept exploits are not yet available, but the vulnerability's nature makes it likely that such exploits will emerge. The EPSS score is likely to be medium, given the ease of exploitation once a PoC is available.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68912 is to immediately upgrade HDForms to version 1.6.2 or later. If upgrading is not immediately feasible, implement temporary workarounds to reduce the risk. These include restricting file access permissions on the server to only allow the web server process to access necessary files. Implement strict input validation on all file paths to prevent path traversal attempts. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious path characters (e.g., '..'). After upgrading, verify the fix by attempting to access a known sensitive file outside the intended directory via a web request; the request should be denied.
Update to version 1.6.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68912 is a HIGH severity vulnerability in HDForms allowing attackers to read arbitrary files on a WordPress server. It affects versions 0.0.0 through 1.6.1.
You are affected if your WordPress site uses HDForms version 0.0.0 to 1.6.1. Check your plugin versions immediately.
Upgrade HDForms to version 1.6.2 or later to resolve the vulnerability. Implement temporary workarounds like file access restrictions if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official HDForms website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.