CVE-2025-2539
Published: 20 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-2539 is a vulnerability in the File Away plugin for WordPress, affecting all versions up to and including 3.9.9.0.1. It arises from a missing capability check on the ajax() function, enabling unauthorized access to data. Attackers can leverage a reversible weak algorithm to read the contents of arbitrary files on the server, potentially exposing sensitive information. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-327.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the vulnerable ajax() function, they bypass authorization and use the plugin's weak cryptographic mechanism to decrypt and retrieve arbitrary file contents, such as configuration files or other sensitive data stored on the web server.
Advisories, including those from Wordfence, detail the vulnerability and reference affected code in the plugin's class.fileaway_encrypted.php and class.fileaway_stats.php files. Mitigation involves updating to a patched version of the File Away plugin beyond 3.9.9.0.1, as indicated on the plugin's WordPress.org developers page. A proof-of-concept exploit is publicly available on GitHub, highlighting the need for immediate patching.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated arbitrary file read in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) as the attack vector and T1005 (Data from Local System) for retrieving sensitive file contents.