Arbitrary File Upload Vulnerability in WavePlayer Plugin for WordPress
CVE-2025-12057
Currently unrated
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 19 November 2025
Badges
👾 Exploit Exists🟡 Public PoC
What is CVE-2025-12057?
The WavePlayer plugin for WordPress, prior to version 3.8.0, contains a critical vulnerability that allows unauthenticated users to exploit an AJAX action without proper authorization. By failing to validate the file intended for local copying, the vulnerability permits unauthorized file uploads to the server, which can potentially lead to remote code execution (RCE). This poses significant security risks for WordPress sites utilizing the plugin, as attackers can manipulate the server environment.
Affected Version(s)
WavePlayer 0 < 3.8.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.