CVE-2025-2512

CRITICAL

File Away < 3.9.9.0.1 - Unauthenticated Arbitrary File Upload via upload() Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-2512. PoCs published by whattheslime.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2025-2512, an unauthenticated arbitrary file upload vulnerability in the File-Away WordPress plugin (versions up to 3.9.9.0.1). The exploit includes scripts to upload arbitrary files, leading to remote code execution (RCE).

Description

The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

nomisec WORKING POC
by whattheslime · poc
https://github.com/whattheslime/file-away-exploit

This repository contains functional exploit code for CVE-2025-2512, an unauthenticated arbitrary file upload vulnerability in the File-Away WordPress plugin (versions up to 3.9.9.0.1). The exploit includes scripts to upload arbitrary files, leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: File-Away WordPress plugin <= 3.9.9.0.1
No auth needed
Prerequisites: File-Away plugin installed and enabled on the target WordPress instance
devstral-2 · analyzed Mar 11, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0083
EPSS Percentile 52.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
file_away_project/file_away < 3.9.9.0.1
thomstark/File Away < 3.9.9.0.1
Published Mar 19, 2025
Tracked Since Feb 18, 2026