Login Sign Up

CVE-2025-2512

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

The File Away WordPress plugin allows unauthenticated attackers to upload arbitrary files to affected websites due to missing security checks. This vulnerability affects all versions up to 3.9.9.0.1 and can lead to complete server compromise through remote code execution.

💻 Affected Systems

Products:
  • File Away WordPress Plugin
Versions: All versions up to and including 3.9.9.0.1
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable File Away plugin versions are affected regardless of configuration.

📦 What is this software?

File Away by File Away Project

View all CVEs affecting File Away →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server takeover via remote code execution, data theft, website defacement, and malware distribution.

🟠

Likely Case

Website compromise with backdoor installation, data exfiltration, and use as attack platform.

🟢

If Mitigated

Limited impact if file execution restrictions are in place, but file storage space could still be abused.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST requests can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.9.0.2 or later

Vendor Advisory: https://wordpress.org/plugins/file-away/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find File Away plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable File Away Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate file-away

Restrict File Upload Directory

linux

Add .htaccess rules to prevent PHP execution in upload directories.

echo 'php_flag engine off' > /path/to/wordpress/wp-content/uploads/file-away/.htaccess

🧯 If You Can't Patch

  • Disable the File Away plugin immediately
  • Implement web application firewall rules to block file upload requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for File Away version 3.9.9.0.1 or earlier.

Check Version:

wp plugin get file-away --field=version

Verify Fix Applied:

Verify File Away plugin version is 3.9.9.0.2 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action=fileaway_upload
  • Unusual file uploads to wp-content/uploads/file-away/ directory
  • PHP files with suspicious names in upload directories

Network Indicators:

  • POST requests with file uploads to WordPress admin-ajax endpoint
  • Unusual outbound connections from WordPress server

SIEM Query:

source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="fileaway_upload"

📊 Metadata

CVE ID: CVE-2025-2512
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
EPSS Score: 2.35% exploit probability (84.6th percentile)
Published: March 19, 2025
Last Updated: August 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2512, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)