Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities by file_away_project

    CVE-2025-2539 (GCVE-0-2025-2539)

    Vulnerability from nvd – Published: 2025-03-20 11:11 – Updated: 2026-04-08 16:55
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
    Summary
    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    Impacted products
    Vendor Product Version
    thomstark File Away Affected: 0 , ≤ 3.9.9.0.1 (semver)
    Create a notification for this product.
    Credits
    Sélim Lanouar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T13:17:23.486525Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T13:18:27.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "File Away",
              "vendor": "thomstark",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "S\u00e9lim Lanouar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm,  to read the contents of arbitrary files on the server, which can contain sensitive information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:17.856Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php"
            },
            {
              "url": "https://wordpress.org/plugins/file-away/#developers"
            },
            {
              "url": "https://github.com/whattheslime/file-away-exploit?tab=readme-ov-file"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T22:11:18.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "File Away \u003c= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2539",
        "datePublished": "2025-03-20T11:11:26.994Z",
        "dateReserved": "2025-03-19T22:09:08.214Z",
        "dateUpdated": "2026-04-08T16:55:17.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2512 (GCVE-0-2025-2512)

    Vulnerability from nvd – Published: 2025-03-19 11:23 – Updated: 2026-04-08 17:11
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function
    Summary
    The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    thomstark File Away Affected: 0 , ≤ 3.9.9.0.1 (semver)
    Create a notification for this product.
    Credits
    Sélim Lanouar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2512",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T13:16:15.121369Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T13:20:20.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "File Away",
              "vendor": "thomstark",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "S\u00e9lim Lanouar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:11:06.397Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a93313d-a5d7-4109-93c5-b2da26e7a486?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_management.php#L1094"
            },
            {
              "url": "https://wordpress.org/plugins/file-away/#developers"
            },
            {
              "url": "https://github.com/whattheslime/file-away-exploit?tab=readme-ov-file"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-18T23:14:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "File Away \u003c= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2512",
        "datePublished": "2025-03-19T11:23:30.809Z",
        "dateReserved": "2025-03-18T23:04:49.949Z",
        "dateUpdated": "2026-04-08T17:11:06.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-0431 (GCVE-0-2023-0431)

    Vulnerability from nvd – Published: 2023-06-12 17:28 – Updated: 2025-01-03 14:50
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode
    Summary
    The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fdcbd9a3-552d-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown File Away Affected: 0 , ≤ 3.9.9.0.1 (custom)
    Create a notification for this product.
    Credits
    Lana Codes WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:10:56.151Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/fdcbd9a3-552d-439e-b283-1d3d934889af"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0431",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T14:50:03.441108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T14:50:20.380Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "affected",
              "product": "File Away",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lana Codes"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-12T17:28:21.850Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fdcbd9a3-552d-439e-b283-1d3d934889af"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "File Away \u003c= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-0431",
        "datePublished": "2023-06-12T17:28:21.850Z",
        "dateReserved": "2023-01-20T22:44:48.817Z",
        "dateUpdated": "2025-01-03T14:50:20.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2539 (GCVE-0-2025-2539)

    Vulnerability from cvelistv5 – Published: 2025-03-20 11:11 – Updated: 2026-04-08 16:55
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
    Summary
    The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    Impacted products
    Vendor Product Version
    thomstark File Away Affected: 0 , ≤ 3.9.9.0.1 (semver)
    Create a notification for this product.
    Credits
    Sélim Lanouar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T13:17:23.486525Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T13:18:27.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "File Away",
              "vendor": "thomstark",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "S\u00e9lim Lanouar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm,  to read the contents of arbitrary files on the server, which can contain sensitive information."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:17.856Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b23bd5c-db27-4d63-8461-1f36958a2ff6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_stats.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_encrypted.php"
            },
            {
              "url": "https://wordpress.org/plugins/file-away/#developers"
            },
            {
              "url": "https://github.com/whattheslime/file-away-exploit?tab=readme-ov-file"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T22:11:18.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "File Away \u003c= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2539",
        "datePublished": "2025-03-20T11:11:26.994Z",
        "dateReserved": "2025-03-19T22:09:08.214Z",
        "dateUpdated": "2026-04-08T16:55:17.856Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2512 (GCVE-0-2025-2512)

    Vulnerability from cvelistv5 – Published: 2025-03-19 11:23 – Updated: 2026-04-08 17:11
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function
    Summary
    The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    thomstark File Away Affected: 0 , ≤ 3.9.9.0.1 (semver)
    Create a notification for this product.
    Credits
    Sélim Lanouar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2512",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T13:16:15.121369Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T13:20:20.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "File Away",
              "vendor": "thomstark",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "S\u00e9lim Lanouar"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:11:06.397Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a93313d-a5d7-4109-93c5-b2da26e7a486?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/file-away/trunk/lib/cls/class.fileaway_management.php#L1094"
            },
            {
              "url": "https://wordpress.org/plugins/file-away/#developers"
            },
            {
              "url": "https://github.com/whattheslime/file-away-exploit?tab=readme-ov-file"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-18T23:14:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "File Away \u003c= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2512",
        "datePublished": "2025-03-19T11:23:30.809Z",
        "dateReserved": "2025-03-18T23:04:49.949Z",
        "dateUpdated": "2026-04-08T17:11:06.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-0431 (GCVE-0-2023-0431)

    Vulnerability from cvelistv5 – Published: 2023-06-12 17:28 – Updated: 2025-01-03 14:50
    VLAI
    Title
    File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode
    Summary
    The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fdcbd9a3-552d-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown File Away Affected: 0 , ≤ 3.9.9.0.1 (custom)
    Create a notification for this product.
    Credits
    Lana Codes WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:10:56.151Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/fdcbd9a3-552d-439e-b283-1d3d934889af"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0431",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T14:50:03.441108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T14:50:20.380Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "affected",
              "product": "File Away",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lana Codes"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-12T17:28:21.850Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fdcbd9a3-552d-439e-b283-1d3d934889af"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "File Away \u003c= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-0431",
        "datePublished": "2023-06-12T17:28:21.850Z",
        "dateReserved": "2023-01-20T22:44:48.817Z",
        "dateUpdated": "2025-01-03T14:50:20.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }