CVE-2025-2539 Scanner

File Away is a WordPress plugin designed to provide file management capabilities within the WordPress dashboard. It allows users and administrators to upload, organize, and share files through the web interface. The plugin is widely used by website owners who need a document repository or file sharing functionality integrated into their WordPress sites. It supports features like secure uploads, downloads, and dynamic file views. The plugin interacts heavily with WordPress’s AJAX API to deliver its features. Due to its broad file access functionality, any misconfiguration or missing validation can introduce serious security risks.

This vulnerability allows unauthenticated users to read arbitrary files from the server due to a missing capability check in the plugin’s AJAX `ajax()` function. Attackers can exploit this by leveraging a weak encryption mechanism to derive the necessary nonce and bypass access controls. The flaw is critical because it permits file reads without any prior authentication, giving adversaries access to sensitive data. The problem stems from inadequate privilege checks and poor handling of user input when processing file requests. As a result, anyone with access to the endpoint can manipulate it to read files outside the intended scope. Versions up to and including 3.9.9.0.1 are affected by this issue.

In detail, the scan extracts a valid `nonce` from a page that includes the plugin’s JavaScript and uses it to forge a request to the `/wp-admin/admin-ajax.php` endpoint. It includes a `file` parameter set to a path traversal string targeting files like `/etc/passwd`. If the request is successful, the server returns a downloadable URL, which is then used in a follow-up GET request. The vulnerability is confirmed if the returned file contains known content such as “root:”. The response also includes the content type `application/force-download`, which is indicative of a forced file read behavior. This multi-step process validates the existence and exploitability of the flaw.

When successfully exploited, the vulnerability can result in exposure of sensitive server-side files including configuration files, password hashes, or other internal documentation. This can provide attackers with critical information to further compromise the system or escalate their privileges. In shared hosting environments, this risk can extend to other tenants on the same server. The data leak also violates data protection policies and can lead to reputational damage. As a consequence, systems with this plugin installed are at high risk if not patched or removed.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-missing-authorization-to-unauthenticated-arbitrary-file-read
• https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php
• https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php
• https://wordpress.org/plugins/file-away/#developers
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve