CVE-2025-2539
Published: 20 March 2025
Summary
CVE-2025-2539 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in File Away Project File Away. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The File Away plugin for WordPress is vulnerable to unauthorized data access stemming from a missing capability check on the ajax() function in all versions through 3.9.9.0.1. The flaw, tracked as CWE-327, stems from reliance on a reversible weak algorithm that permits unauthenticated attackers to retrieve the contents of arbitrary server files containing sensitive information. It carries a CVSS 3.1 score of 7.5 reflecting network-accessible exploitation with high confidentiality impact and no required privileges or user interaction.
Unauthenticated remote attackers can invoke the affected ajax endpoint to bypass intended access controls and read arbitrary files on the underlying server. Successful exploitation yields direct exposure of sensitive data without authentication, enabling further reconnaissance or targeted data theft depending on the contents of accessible files.
Public references including the Wordfence advisory and the WordPress plugin repository track the issue and identify the affected versions, while a proof-of-concept exploit is available on GitHub. No explicit patch or mitigation details beyond version constraints are provided in the references.
The EPSS score sits at 0.2072 with a peak of 0.2081, indicating sustained moderate exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6807
Vulnerability details
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the…
more
use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file read in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) as the attack vector and T1005 (Data from Local System) for retrieving sensitive file contents.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the missing capability check and weak cryptographic algorithm in the File Away plugin's ajax function to prevent unauthorized arbitrary file reads.
Enforces approved authorizations for access to the vulnerable ajax endpoint, addressing the core missing capability check exploited by unauthenticated attackers.
Applies least privilege to restrict unauthenticated access to sensitive files, mitigating impacts even if authorization bypass occurs.