CVE Tools

CVE-2025-12057

WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload

Published: Nov 19, 2025Updated: Jan 9, 2026 Sources: CVE List NVDCWE-434

Description

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

In plain language

AI Act now

CVE-2025-12057 is a serious WordPress plugin flaw in WavePlayer that lets an attacker upload files to your server without logging in; if you run WavePlayer versions earlier than 3.8.0, you should update urgently.

Executive summary

In WavePlayer (before 3.8.0), an unauthenticated AJAX endpoint lacks proper authorization checks and does not validate the uploaded file, enabling arbitrary file upload to the server and potentially resulting in remote code execution.

If affected, business impact
Server takeover riskMalware/Ransomware deploymentWebsite defacement or downtimeCustomer data exposure

What to do now

  1. Check your WordPress site for the installed WavePlayer plugin version (Plugins page → WavePlayer → version number).
  2. If the version is earlier than 3.8.0, plan an immediate upgrade.
  3. Update WavePlayer to version 3.8.0 or later.
  4. After updating, verify the site still loads normally and review web server and WordPress logs for unusual upload activity around the time of the change.
Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

3 techniques
Command and Control
Initial Access
Persistence
View detailed technique mapping

References

3

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-12057 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows