CVE-2025-68862 HIGH

CVE-2025-68862: WordPress Woo File Dropzone plugin <= 1.1.7 - Arbitrary File Deletion vulnerability

Vendor Murtaza Bhurgri
Product Woo File Dropzone
Weakness CWE-22 · Path traversal
Published February 20, 2026
Last update April 28, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7.

Explanation of Vulnerability in Simple Terms

02Summary

Woo File Dropzone versions 1.1.7 and earlier contain a path traversal vulnerability that allows authenticated users to cause a denial of service by manipulating file paths. An attacker with low-level access can disrupt site availability by triggering resource exhaustion or file system errors. The vulnerability affects the file upload handling mechanism and impacts the entire application scope.

What an attacker can do

03Attacker Capabilities

Disrupt site availability by exploiting file path handling to exhaust resources or trigger errors.

Potential impact on your site

04Site Impact

Site may become unavailable or unresponsive due to resource exhaustion triggered through the file upload feature.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account (e.g., subscriber or contributor role) on the site.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated