Description
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-03-19
Score: 9.8 Critical
EPSS: 4.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Away for WordPress allows an attacker without any authentication to call the upload() function, because the plugin fails to enforce a capability check and does not validate the file type that is being uploaded. The flaw exists in all releases up to and including 3.9.9.0.1 and is a well‑known arbitrary file upload vulnerability (CWE‑434). Uploaded files can be placed in web‑accessible directories, enabling the attacker to place malicious scripts, configuration files or other components that could be executed to gain remote code execution, deface the site, or exfiltrate data.

Affected Systems

All WordPress installations that have the File Away plugin installed with a version equal to or lower than 3.9.9.0.1 are affected. Attackers can target any public WordPress site running the plugin without restricting the upload endpoint.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical. An EPSS score of 4% indicates that while the exploitation probability is not trivial, it is non‑negligible. The vulnerability is not currently listed in the CISA KEV catalog. The attack path is straightforward: an adversary can hit the upload endpoint of the plugin without any authentication to deliver an arbitrary file. If the server is configured to execute uploads as PHP or other interpretable code, remote code execution is possible.

Generated by OpenCVE AI on April 29, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Away to version 3.10.0 or later, which removes the insecure upload handler.
  • If an upgrade is not immediately possible, disable the upload endpoint by removing or restricting access to the upload() URL, and delete the vulnerable function from the plugin code.
  • Configure the web server or .htaccess to deny execution of uploaded files in the upload directory and enforce a strict MIME type policy.
  • Deploy a security plugin or web application firewall to monitor for and block arbitrary file upload attempts.

Generated by OpenCVE AI on April 29, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7572 The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 Aug 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared File Away Project
File Away Project file Away
CPEs cpe:2.3:a:file_away_project:file_away:*:*:*:*:*:wordpress:*:*
Vendors & Products File Away Project
File Away Project file Away

Wed, 19 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 19 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

File Away Project File Away
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:06.397Z

Reserved: 2025-03-18T23:04:49.949Z

Link: CVE-2025-2512

cve-icon Vulnrichment

Updated: 2025-03-19T13:20:15.039Z

cve-icon NVD

Status : Modified

Published: 2025-03-19T12:15:14.463

Modified: 2026-04-08T18:24:35.700

Link: CVE-2025-2512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses