Exploit for CVE-2025-2539

Name: Exploit for CVE-2025-2539
Rating: 5 (166 reviews)
2025-06-09 | CVSS 7.5
## https://sploitus.com/exploit?id=38DD669A-D9E3-549C-8630-9BE136ED2966
# CVE-2025-2539 - WordPress File Away <= 3.9.9.0.1 - Arbitrary File Read

🔥 **Vulnerability Summary**  
The WordPress plugin **File Away** version <= 3.9.9.0.1 is vulnerable to an unauthenticated arbitrary file read vulnerability.  
This allows attackers to read any file on the server, such as `wp-config.php`, through a crafted request to the plugin's AJAX endpoint.

The vulnerability stems from improper nonce validation and lack of path restriction when using the `fileaway-stats` action via `admin-ajax.php`.  
Attackers can leverage this to retrieve sensitive files and extract credentials, potentially leading to full compromise.

---

🔍 **Affected Plugin**  
- **Plugin Name:** File Away  
- **Affected Version:** <= 3.9.9.0.1  
- **Vulnerability Type:** Unauthenticated Arbitrary File Read  
- **CVE ID:** CVE-2025-2539  
- **CVSS Score:** 9.1 (Critical)  
- **Impact:** Sensitive Information Disclosure → Potential RCE (via DB creds + upload)

---

🧪 **Exploit Features**
- 📥 Fetches `nonce` automatically from the target page
- 📄 Reads arbitrary file (e.g., `wp-config.php`)
- 🔍 Extracts DB credentials (`DB_USER`, `DB_PASSWORD`, `DB_HOST`)
- ✅ Validates access to `/phpmyadmin` or `/phpMyAdmin`
- 🌐 Attempts remote DB login using retrieved credentials
- 💾 Stores valid credentials and phpMyAdmin access in:
  - `result_database.txt`
  - `result_phpmyadmin_dan_config_valid.txt`
  - `result_databaseremotevalid.txt`

---

🧠 **Researcher**  
Credit: [https://github.com/RootHarpy/CVE-2025-2539](https://github.com/RootHarpy/CVE-2025-2539)

---

🚀 **Usage**  
Prepare your `list.txt` file with a list of target domains (one per line, **without** `http` or `https`).

Example `list.txt`:
```
example.com  
victimsite.org  
target123.net  
```

Run the script:
```bash
python3 mass_cve_2539.py
```

---

📁 **Output**
- `result_database.txt` → List of extracted DB credentials
- `result_phpmyadmin_and_config_valid.txt` → List of phpMyAdmin URLs found
- `result_databaseremotevalid.txt` → List of valid remote DB credentials

---

🔒 **Disclaimer:**  
This tool is intended **for educational purposes only** and **should only be used on systems you own or are explicitly authorized to test**. Misuse of this code may lead to legal consequences.