Unauthorized Data Access in File Away Plugin for WordPress
CVE-2025-2539
Key Information:
Badges
What is CVE-2025-2539?
The File Away plugin for WordPress suffers from a vulnerability that allows unauthorized access to sensitive data. This is due to a missing capability check on the ajax() function present in all versions up to and including 3.9.9.0.1. Exploiting this vulnerability enables unauthenticated attackers to leverage a reversible weak algorithm to read arbitrary files on the server, potentially exposing confidential information stored within those files.
Affected Version(s)
File Away * <= 3.9.9.0.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved