CVE-2025-12057

CRITICAL EXPLOITED

WavePlayer WP <3.8.0 - Unauthenticated RCE

Title source: llm

Description

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

Exploits (2)

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-12057

View Code ZIP pw:eip

nomisec WORKING POC

by DeadExpl0it · poc

https://github.com/DeadExpl0it/CVE-2025-12057-WordPress-Exploit-PoC

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://wpscan.com/vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 19.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-25

CWE

CWE-434

Status published

Products (1)

Unknown/WavePlayer < 3.8.0

Published Nov 19, 2025

Tracked Since Feb 18, 2026