CVE-2025-12057

CRITICAL EXPLOITED

WavePlayer WP <3.8.0 - Unauthenticated RCE

Title source: llm

Exploitation Summary

CVE-2025-12057 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including adminlove520, DeadExpl0it.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-12057, targeting an unauthenticated arbitrary file upload vulnerability in the WordPress WavePlayer plugin (< 3.8.0). The exploit automates the process of uploading a malicious PHP payload to achieve remote code execution (RCE).

Description

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

Exploits (2)

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-12057

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-12057, targeting an unauthenticated arbitrary file upload vulnerability in the WordPress WavePlayer plugin (< 3.8.0). The exploit automates the process of uploading a malicious PHP payload to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress WavePlayer plugin < 3.8.0

No auth needed

Prerequisites: target WordPress site URL · hosted PHP payload URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 13, 2026 Full analysis →

nomisec WORKING POC

by DeadExpl0it · poc

https://github.com/DeadExpl0it/CVE-2025-12057-WordPress-Exploit-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-12057, an unauthenticated arbitrary file upload vulnerability in the WordPress WavePlayer plugin (< 3.8.0). The exploit uploads a malicious PHP payload to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress WavePlayer plugin < 3.8.0

No auth needed

Prerequisites: target WordPress site with vulnerable WavePlayer plugin · direct downloadable PHP payload URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 13, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 22.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-11-25

CWE

CWE-434

Status published

Products (1)

Unknown/WavePlayer < 3.8.0

Published Nov 19, 2025

Tracked Since Feb 18, 2026