CVE-2025-69097
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vibethemes | wplms_plugin | to 1.9.9.5.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69097 is a high-priority Arbitrary File Deletion vulnerability in the WordPress WPLMS Plugin (versions up to 1.9.9.5.4). It is a Path Traversal vulnerability that allows unauthenticated attackers to delete arbitrary files on the affected website by bypassing access controls. This can lead to deletion of core website files, potentially causing the site to break and stop functioning properly. [1]
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing attackers to delete important files on your website without authentication. This can cause your website to malfunction or become completely unavailable, leading to potential loss of data, disruption of services, and damage to your online presence. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should immediately apply the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released. This mitigation helps protect the website from arbitrary file deletion exploits. Since no official fix is available as of the publication date, implementing this mitigation is strongly advised to safeguard the WordPress WPLMS Plugin installations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for exploitation attempts that involve arbitrary file deletion requests targeting the WPLMS plugin. Since no official fix is available, Patchstack has provided a mitigation rule to block such attacks. Detection can involve inspecting web server logs for suspicious requests attempting path traversal or file deletion patterns related to the plugin. Specific commands are not provided in the resources, but typical detection might include using tools like grep to search logs for suspicious URL patterns or employing web application firewalls with the provided mitigation rules. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.