WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload_CVE-2025-12057

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

Basic Information

ID CVE-2025-12057

Source WPScan

Published Nov 19, 2025 at 06:00

Modified Nov 19, 2025 at 19:28

Affected Product

Vendor Unknown

Product WavePlayer

Affected Versions Unknown WavePlayer 0

CWE Classification

References

wpscan.com /vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/

{
    "lastseen": "",
    "description": "The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE",
    "published": "2025-11-19T06:00:05.080Z",
    "modified": "2025-11-19T19:28:46.929Z",
    "type": "cve",
    "title": "WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/",
    "id": "CVE-2025-12057",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown WavePlayer 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WavePlayer",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}