CVE•Published 2025-03-19•Modified 2026-04-08•1 article on news•6 live references•NVD data
CVE-2025-2512File_away_project · File_away
Vulnerability data via NVD (ingested)
CVSS v3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
—
Weaknesses (CWE)
Description
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Timeline
Published 2025-03-19
Modified 2026-04-08
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
Shodan · vuln tag0 hosts
vuln:CVE-2025-2512Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · WP plugin path
http.html:"/wp-content/plugins/file-away/"Matches any site loading the "file-away" plugin — doesn't rely on Shodan's vuln tag.
Shodan · product
product:"File Away Project File Away"All exposed File Away Project File Away instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"File Away"HTTP body or banner mentions "File Away" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2025-2512Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-2512Censys host search filtered to this CVE id.
grep.app
CVE-2025-2512Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-2512GitHub code search for direct mentions.
Google dork
"CVE-2025-2512" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.
Known PoCs on GitHub (8)
CVE-2025-25128 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
ruvnet/RuVectorRust
RuVector is a High Performance, Real-Time, Self-Learning Ai, Vector GNN, Memory DB built in Rust.
Tencent/AI-Infra-GuardPython
A full-stack AI Red Teaming platform securing AI ecosystems via OpenClaw Security Scan, Agent Scan, Skills Scan, MCP scan, AI Infra scan and LLM jailbreak evaluation.
mrwadams/attackgenPython
AttackGen is a cybersecurity incident response testing tool that leverages the power of large language models and the comprehensive MITRE ATT&CK framework. The tool generates tailo…
muellerberndt/awesome-ai-securityTypeScript
An AI security awesome list / learning journey
johe123qwe/github-trendingPython
定时抓取 Github Trending
Ledger-Donjon/zoryaRust
Zorya: Automated Concolic Execution Engine optimized for Go Binaries analysis, using Ghidra's P-Code as IR, and written in Rust.
nikhilvallishayee/duhPython
D.U.H. — D.U.H is a Universal Harness. Provider-agnostic AI coding agent.