CVE-2025-2512: 
WordPress vulnerability analysis and mitigation

The File Away plugin for WordPress contains a critical vulnerability (CVE-2025-2512) discovered on March 18, 2025. The vulnerability affects all versions up to and including 3.9.9.0.1 and is caused by a missing capability check and missing file type validation in the upload() function. This security flaw allows unauthenticated attackers to upload arbitrary files to the affected site's server (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The security issue stems from two main problems in the upload() function: a missing capability check that should verify user permissions, and inadequate file type validation that fails to properly restrict uploadable file types. This combination allows unauthenticated users to upload potentially malicious files to the server (NVD, Wordfence).

The vulnerability's impact is severe as it allows unauthenticated attackers to upload arbitrary files to the affected WordPress site's server. This capability could potentially lead to remote code execution if malicious files are uploaded and executed. The high CVSS score of 9.8 reflects the critical nature of this vulnerability, indicating potential complete system compromise (NVD).

As of the vulnerability disclosure, there is no official patch available since the plugin has been closed since March 24, 2023. Website administrators using the File Away plugin are strongly advised to remove it from their WordPress installations immediately to prevent potential exploitation (WordPress Plugin).