CVE-2025-12057
WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload
Description
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
In plain language
AI Act nowCVE-2025-12057 is a serious WordPress plugin flaw in WavePlayer that lets an attacker upload files to your server without logging in; if you run WavePlayer versions earlier than 3.8.0, you should update urgently.
In WavePlayer (before 3.8.0), an unauthenticated AJAX endpoint lacks proper authorization checks and does not validate the uploaded file, enabling arbitrary file upload to the server and potentially resulting in remote code execution.
What to do now
- Check your WordPress site for the installed WavePlayer plugin version (Plugins page → WavePlayer → version number).
- If the version is earlier than 3.8.0, plan an immediate upgrade.
- Update WavePlayer to version 3.8.0 or later.
- After updating, verify the site still loads normally and review web server and WordPress logs for unusual upload activity around the time of the change.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Exploitability
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsAttack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2025-12057 and every CVE in our database. Create a free account — no credit card required.
Create Free Account