Description
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-03-20
Score: 7.5 High
EPSS: 20.7% Moderate
KEV: No
Impact: Unauthorized Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

The File Away WordPress plugin is vulnerable due to a missing capability check on its ajax() function in all releases up to 3.9.9.0.1. This flaw allows unauthenticated users to construct requests that exploit a reversible weak algorithm to read the contents of any file on the server, potentially exposing sensitive data. The weakness corresponds to CWE‑327, a weak cryptographic algorithm issue. The impact is a full read of arbitrary files without authentication, facilitating data exfiltration and possible downstream attacks.

Affected Systems

Affected software is the File Away plugin by thomstark, a WordPress plugin. Versions 3.9.9.0.1 and earlier are impacted; any deployment of the plugin at those versions or lower is at risk. The plugin resides within a WordPress installation and thus influence extends to the web application’s server filesystem.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity. The EPSS score of 21% indicates a relatively high likelihood that exploitation attempts have occurred or will occur. The vulnerability is not listed in the CISA KEV catalog. Attackers can target the vulnerable AJAX endpoint without authentication, craft a request with the weak algorithm parameters, and retrieve arbitrary files. No special network or user privileges are required beyond the ability to issue HTTP requests to the site.

Generated by OpenCVE AI on April 21, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest File Away plugin update that removes the missing capability check (any release after 3.9.9.0.1).
  • If a patch cannot be applied immediately, temporarily disable the plugin’s ajax endpoint or restrict access to it through .htaccess or a security plugin.
  • Implement stricter filesystem permissions on the WordPress server to limit read access to sensitive files, and monitor the access logs for unusual AJAX request patterns.

Generated by OpenCVE AI on April 21, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared File Away Project
File Away Project file Away
CPEs cpe:2.3:a:file_away_project:file_away:*:*:*:*:*:wordpress:*:*
Vendors & Products File Away Project
File Away Project file Away

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.10384}

 epss

{'score': 0.18296}

Thu, 20 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
Weaknesses CWE-327
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

File Away Project File Away
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:17.856Z

Reserved: 2025-03-19T22:09:08.214Z

Link: CVE-2025-2539

cve-icon Vulnrichment

Updated: 2025-03-20T13:18:06.332Z

cve-icon NVD

Status : Modified

Published: 2025-03-20T12:15:14.900

Modified: 2026-04-08T18:24:36.143

Link: CVE-2025-2539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses