CVE-2025-12057 affects the WavePlayer WordPress plugin before version 3.8.0. The plugin exposes an AJAX action that lacks proper authorization checks and also fails to validate the file being copied locally. This combination allows an unauthenticated attacker to abuse the AJAX functionality to place an arbitrary file on the server. Because the uploaded file can be attacker-controlled and placed in a web-accessible context, the flaw can be leveraged to execute arbitrary code on the underlying WordPress host.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone Python exploit PoC for CVE-2025-12057 affecting the WordPress WavePlayer plugin before 3.8.0. It contains two files: `README.md`, which explains the vulnerability and operator workflow, and `wave.py`, the actual exploit script. The script is not part of a larger framework. `wave.py` is the main entry point and implements a multithreaded scanner/exploit tool. It reads a text file of target WordPress site URLs, prompts the operator for an attacker-controlled payload URL, and then processes targets concurrently using Python threads and a queue. For each target, it first performs a GET request to the site root and attempts to extract a usable nonce from page content using several regex patterns (`ajax_nonce`, `nonce`, `_nonce`, `security`, `wpnonce`, and `nonce=`). If a nonce is found, it sends a POST request to `/?wvpl-ajax=create_local_copy` with form data containing the nonce and the attacker-supplied remote payload URL. If the server returns JSON with `success: true`, the script treats the target as vulnerable and extracts `data.track.temp_file`, which appears to be the uploaded file path/URL, then appends it to `shells.txt`. The exploit capability is unauthenticated remote file upload leading to RCE, assuming the vulnerable plugin endpoint will fetch and store a remote PHP file. The README explicitly describes using a PHP webshell payload and a helper `loader.php` to ensure the payload is served with a PHP content type. This makes the repository more than a detector: it actively attempts exploitation and records resulting shell locations. The code uses `requests`, disables TLS verification, retries failed requests, and sets a browser-like User-Agent. Overall, this is an operational PoC scanner/exploit for bulk targeting of WordPress sites running vulnerable WavePlayer versions.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in WavePlayer listed among the flaws targeted by the operation.
A vulnerability in the WavePlayer WordPress plugin that was directly targeted in the WP-SHELLSTORM campaign.
A publicly known vulnerability affecting the WavePlayer WordPress plugin that is being exploited in a large-scale campaign targeting CMS platforms for webshell deployment.
An arbitrary file upload vulnerability in WavePlayer used to create executable files in the plugin upload directory.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.