POC - CVE-2025–2539 File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File
Become VeryLazyTech member! 🎁
Follow us on:
✖ Twitter @VeryLazyTech.
👾 Github @VeryLazyTech.
📜 Medium @VeryLazyTech.
📺 YouTube @VeryLazyTech.
📩 Telegram @VeryLazyTech.
🕵️♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Overview
The File Away plugin for WordPress (versions ≤ 3.9.9.0.1) is affected by a critical vulnerability caused by a missing capability check in the ajax()
function. This vulnerability allows unauthenticated users to exploit the plugin via crafted AJAX requests. Due to the use of a reversible weak encoding algorithm, attackers can read arbitrary files on the target server — including configuration files, credentials, or other sensitive data.
Impact: Complete disclosure of sensitive server-side files without authentication.
CVE ID: CVE-2025–2539 Vulnerable Plugin: File Away ≤ 3.9.9.0.1 Vulnerability Type: Missing Authorization / Arbitrary File Read Access Complexity: Low Authentication Required: None
Disclaimer: This Proof of Concept (POC) is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Getting Started
Finding Targets
To identify websites potentially using the vulnerable File Away plugin, use the following FOFA dork:
(body="/wp-content/plugins/file-away/" || (body="http://gmpg.org/xfn/11" && body="/wp-content/plugins/sparklethemes-shortcodes") && icon_hash="1198047028")
Cloning the Repository
First, clone the repository:
git clone https://github.com/verylazytech/CVE-2025-2539
cd CVE-2025-2539
Run the Exploit:
./CVE-2025-2539.sh <Target:port> <File>
Example:
./CVE-2025-2539.sh https://vulnerable-site.com /wp-config.php
The script will attempt to access and display the contents of the specified file if the target is vulnerable.
This makes it possible for unauthenticated attackers to read arbitrary files including the WordPress configuration file (wp-config.php
).
Learn & practice For the OSCP.
Last updated
Was this helpful?