CVE-2025-2512
Published: 19 March 2025
Summary
CVE-2025-2512 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in File Away Project File Away. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function. This affects all versions up to and including 3.9.9.0.1 and is tracked as CWE-434 with a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the flaw over the network to upload arbitrary files to the affected site server, which may enable remote code execution.
Public references include a Wordfence threat intelligence entry, the WordPress plugin developer page, and a proof-of-concept repository on GitHub, along with the relevant source file in the plugin repository.
The associated EPSS score rose from a low baseline to a peak of 0.0570 on 2026-04-27 before receding to the current value of 0.0231, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7572
Vulnerability details
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for…
more
unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted arbitrary file upload in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable application) and T1505.003 (uploading web shell for RCE).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific flaw in the File Away plugin's upload function via patching to eliminate arbitrary file upload vulnerability.
Mandates validation of uploaded files to enforce type restrictions, directly countering the missing file type validation in the upload function.
Enforces access authorizations with capability checks to block unauthenticated attackers from reaching the vulnerable upload function.