CVE-2025-2539
File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
| CWE | CWE-327 |
| Vendor | thomstark |
| Product | file away |
| Published | Mar 20, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for thomstark file away
Be the first to know when new high vulnerabilities affecting thomstark file away are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
thomstark / File Away
0 β€ 3.9.9.0.1
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php wordpress.org: https://wordpress.org/plugins/file-away/#developers github.com: https://github.com/whattheslime/file-away-exploit?tab=readme-ov-file
Credits
SΓ©lim Lanouar