CVE-2025-68907
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal.This issue affects Hostme v2: from n/a through <= 7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aivahthemes hostme_v2 to 7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68907 is an Arbitrary File Deletion vulnerability in the WordPress Hostme v2 Theme (up to version 7.0). It allows unauthenticated attackers to delete files on the affected website by exploiting a Path Traversal flaw, which means they can access and remove files outside the intended restricted directories. This can lead to the removal of core files and potentially cause the website to break or stop functioning. [1]

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to delete important files on your website without authentication. This can result in the website breaking, losing functionality, or becoming completely unavailable. The risk is high due to the ease of exploitation and the potential damage to the website's operation. [1]

Mitigation Strategies

Users are strongly advised to apply the mitigation rule issued by Patchstack immediately to block attacks exploiting this vulnerability until an official patch becomes available. This mitigation helps protect websites from exploitation of the arbitrary file deletion vulnerability in Hostme v2 theme versions up to 7.0. [1]

Detection Guidance

This vulnerability can be detected by monitoring for attempts to exploit arbitrary file deletion via path traversal in the Hostme v2 WordPress theme. Since it allows unauthenticated attackers to delete files, you should look for suspicious HTTP requests containing path traversal patterns (e.g., '../') targeting the theme's endpoints. While no specific detection commands are provided, you can use web server access logs to grep for such patterns. For example, using a command like `grep -E '\.\./' /var/log/apache2/access.log` or `grep -E '\.\./' /var/log/nginx/access.log` can help identify potential exploitation attempts. Additionally, applying the mitigation rule provided by Patchstack is strongly advised to block attacks until an official patch is released. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart