Cyber Resilience

CVE-2025-2539

High

Published: 20 March 2025

Published
20 March 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2072 95.7th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2539 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in File Away Project File Away. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The File Away plugin for WordPress is vulnerable to unauthorized data access stemming from a missing capability check on the ajax() function in all versions through 3.9.9.0.1. The flaw, tracked as CWE-327, stems from reliance on a reversible weak algorithm that permits unauthenticated attackers to retrieve the contents of arbitrary server files containing sensitive information. It carries a CVSS 3.1 score of 7.5 reflecting network-accessible exploitation with high confidentiality impact and no required privileges or user interaction.

Unauthenticated remote attackers can invoke the affected ajax endpoint to bypass intended access controls and read arbitrary files on the underlying server. Successful exploitation yields direct exposure of sensitive data without authentication, enabling further reconnaissance or targeted data theft depending on the contents of accessible files.

Public references including the Wordfence advisory and the WordPress plugin repository track the issue and identify the affected versions, while a proof-of-concept exploit is available on GitHub. No explicit patch or mitigation details beyond version constraints are provided in the references.

The EPSS score sits at 0.2072 with a peak of 0.2081, indicating sustained moderate exploitation probability.

EU & UK References

Vulnerability details

The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the…

more

use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability is an unauthenticated arbitrary file read in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) as the attack vector and T1005 (Data from Local System) for retrieving sensitive file contents.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2512Same product: File Away Project File Away
CVE-2026-28479Shared CWE-327
CVE-2024-22347Shared CWE-327
CVE-2025-68702Shared CWE-327
CVE-2026-21718Shared CWE-327
CVE-2026-22585Shared CWE-327
CVE-2024-41763Shared CWE-327
CVE-2026-34950Shared CWE-327
CVE-2025-69929Shared CWE-327
CVE-2026-28252Shared CWE-327

Affected Assets

file away project
file away
≤ 3.9.9.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the missing capability check and weak cryptographic algorithm in the File Away plugin's ajax function to prevent unauthorized arbitrary file reads.

prevent

Enforces approved authorizations for access to the vulnerable ajax endpoint, addressing the core missing capability check exploited by unauthenticated attackers.

prevent

Applies least privilege to restrict unauthenticated access to sensitive files, mitigating impacts even if authorization bypass occurs.

References