3 matches found
CVE-2025-2539
The WordPress File Away plugin is vulnerable to unauthenticated arbitrary file read via a missing capability check in the ajax() endpoint in all versions up to 3.9.9.0.1. Authenticated status is not required (ATT&CK: None specified in documents), and the vulnerability allows reading server files ...
CVE-2025-2512
The CVE-2025-2512 entry concerns the WordPress File Away plugin (versions up to 3.9.9.0.1). The vulnerability is an unauthenticated arbitrary file upload due to a missing capability check and missing file-type validation in upload(), which could enable remote code execution on affected sites. Mul...
CVE-2023-0431
CVE-2023-0431 affects the File Away WordPress plugin (versions up to 3.9.9.0.1). The vulnerability is a Stored XSS due to insufficient validation/escaping of a shortcode attribute, enabling a contributor-level user to inject script. Public data show the vulnerability as existing and, per Wordfenc...