CVE-2025-2539
Published: 20 March 2025
Summary
CVE-2025-2539 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in File Away Project File Away. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the missing capability check and weak cryptographic algorithm in the File Away plugin's ajax function to prevent unauthorized arbitrary file reads.
Enforces approved authorizations for access to the vulnerable ajax endpoint, addressing the core missing capability check exploited by unauthenticated attackers.
Applies least privilege to restrict unauthenticated access to sensitive files, mitigating impacts even if authorization bypass occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file read in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) as the attack vector and T1005 (Data from Local System) for retrieving sensitive file contents.
NVD Description
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the…
more
use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
Deeper analysisAI
CVE-2025-2539 is a vulnerability in the File Away plugin for WordPress, affecting all versions up to and including 3.9.9.0.1. It arises from a missing capability check on the ajax() function, enabling unauthorized access to data. Attackers can leverage a reversible weak algorithm to read the contents of arbitrary files on the server, potentially exposing sensitive information. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-327.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the vulnerable ajax() function, they bypass authorization and use the plugin's weak cryptographic mechanism to decrypt and retrieve arbitrary file contents, such as configuration files or other sensitive data stored on the web server.
Advisories, including those from Wordfence, detail the vulnerability and reference affected code in the plugin's class.fileaway_encrypted.php and class.fileaway_stats.php files. Mitigation involves updating to a patched version of the File Away plugin beyond 3.9.9.0.1, as indicated on the plugin's WordPress.org developers page. A proof-of-concept exploit is publicly available on GitHub, highlighting the need for immediate patching.
Details
- CWE(s)