What the vulnerability does
01Description
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
Explanation of Vulnerability in Simple Terms
02Summary
File Away versions up to 3.9.9.0.1 use weak cryptographic algorithms that allow attackers to decrypt sensitive data. An attacker with network access can read encrypted information without authentication. This affects any site using the vulnerable version to store or transmit encrypted files or credentials.
What an attacker can do
03Attacker Capabilities
Read encrypted data stored or transmitted by the application without needing a password or account.
Potential impact on your site
04Site Impact
Sensitive files, credentials, or data encrypted by File Away can be decrypted and read by attackers.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 20, 2025
CVE published
April 8, 2026
Record updated