← back
CVE-2025-12057

WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload

CVSS 9.8 CRITICALEPSS 0.4%CWE-434
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
19 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · WavePlayer