CVE-2025-2539

HIGH EXPLOITED NUCLEI

File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-2539 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including iSee857, verylazytech, RootHarpy. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script establishes a session, then sends a crafted JSON payload to execute the 'id' command, verifying vulnerability by checking for 'uid=' and 'gid=' in the response.

Description

The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.

Exploits (8)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/WordPress-CVE-2025-2539-ReadAnyFile.py

The repository contains a functional exploit for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script establishes a session, then sends a crafted JSON payload to execute the 'id' command, verifying vulnerability by checking for 'uid=' and 'gid=' in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · OpenCode service running on the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 4 stars
by verylazytech · infoleak
https://github.com/verylazytech/CVE-2025-2539

This PoC exploits CVE-2025-2539, an arbitrary file read vulnerability in the File Away WordPress plugin (versions <= 3.9.9.0.1) due to missing authorization checks. It extracts a nonce from the target site and uses it to read arbitrary files via an AJAX endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: File Away WordPress plugin <= 3.9.9.0.1
No auth needed
Prerequisites: Target must have the vulnerable File Away plugin installed · Target must be accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by RootHarpy · infoleak
https://github.com/RootHarpy/CVE-2025-2539

This is a functional PoC exploit for CVE-2025-2539, targeting an unauthenticated arbitrary file read vulnerability in the WordPress File Away Plugin ≤ 3.9.9.0.1. The script fetches a nonce and uses it to exploit an exposed AJAX endpoint to read arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress File Away Plugin ≤ 3.9.9.0.1
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fazaroot · poc
https://github.com/fazaroot/CVE-2025-2539---File-Away-WordPress-Plugin-Arbitrary-File-Read

The repository contains a functional exploit for CVE-2025-2539, an authenticated arbitrary file read vulnerability in the File Away WordPress plugin (versions <= 3.9.9.0.1). The exploit leverages unsanitized input in the 'fileaway-stats' AJAX action to perform directory traversal attacks.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: File Away WordPress Plugin <= 3.9.9.0.1
Auth required
Prerequisites: WordPress installation with File Away plugin <= 3.9.9.0.1 · Valid nonce value
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by AlvaXPloit · pythoninfoleak
https://github.com/AlvaXPloit/CVE-2025-2539

This Python script exploits CVE-2025-2539, an arbitrary file read vulnerability in File Away WordPress plugin versions below 3.9.9.0.1. It fetches a nonce from the target and uses it to retrieve sensitive files via an AJAX endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: File Away WordPress plugin < 3.9.9.0.1
No auth needed
Prerequisites: Target URL with vulnerable File Away plugin · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by d4rkh0rse · infoleak
https://github.com/d4rkh0rse/CVE-2025-2539

This is a functional exploit for CVE-2025-2539, targeting an arbitrary file read vulnerability in the FileAway WordPress plugin (<= v3.9.9.0.1). The exploit extracts a nonce from the target page and uses it to send an AJAX request to read arbitrary files, then downloads and saves the file content.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: FileAway WordPress Plugin <= v3.9.9.0.1
No auth needed
Prerequisites: Target must have the vulnerable FileAway plugin installed and accessible · Target URL must be reachable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Yucaerin · infoleak
https://github.com/Yucaerin/CVE-2025-2539

This PoC exploits CVE-2025-2539, an unauthenticated arbitrary file read vulnerability in WordPress File Away plugin <= 3.9.9.0.1. It automates nonce extraction, file reading (e.g., wp-config.php), and credential validation, including remote DB access checks.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WordPress File Away plugin <= 3.9.9.0.1
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · Target must be accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by whattheslime · pythonpoc
https://github.com/whattheslime/file-away-exploit

This repository contains functional exploit code for CVE-2025-2539 and CVE-2025-2512, targeting the File-Away WordPress plugin. The exploits demonstrate unauthenticated arbitrary file read and upload vulnerabilities, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: File-Away WordPress plugin <= 3.9.9.0.1
No auth needed
Prerequisites: File-Away plugin installed and enabled · WordPress instance accessible
devstral-2 · analyzed May 01, 2026 Full analysis →

Nuclei Templates (1)

File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (5)

Core 5

Scores

CVSS v3 7.5
EPSS 0.2072
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2025-10-12
CWE
CWE-327
Status published
Products (2)
file_away_project/file_away < 3.9.9.0.1
thomstark/File Away < 3.9.9.0.1
Published Mar 20, 2025
Tracked Since Feb 18, 2026