CVE-2025-12057: 
WordPress vulnerability analysis and mitigation

The WavePlayer WordPress plugin before version 3.8.0 contains a critical security vulnerability (CVE-2025-12057) discovered on October 29, 2025. The vulnerability allows unauthenticated users to upload arbitrary files to the server due to missing authorization checks in an AJAX action and inadequate file validation (WPScan).

The vulnerability stems from two key security issues: lack of proper authorization in an AJAX action and insufficient validation of files being copied locally. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature. The exploit involves fetching a nonce from any public page and using it to trigger the create_local_copy function, which allows uploading arbitrary files including PHP payloads (CISA-ADP, WPScan).

The vulnerability enables Remote Code Execution (RCE) through arbitrary file upload capabilities. Successful exploitation allows unauthenticated attackers to upload and execute malicious files on the target server, potentially leading to complete server compromise (WPScan).

Users are strongly advised to update the WavePlayer WordPress plugin to version 3.8.0 or later, which contains the security fix for this vulnerability (WPScan).