## https://sploitus.com/exploit?id=30AA1BFA-2FDD-56E9-877B-C9D6C4674688
# CVE-2025-12057 โ WordPress WavePlayer RCE PoC
Proof of Concept (PoC) for **CVE-2025-12057**, a critical vulnerability affecting the **WavePlayer WordPress plugin (
```
---
## 4. Make the payload downloadable
The exploit requires a **direct downloadable PHP payload URL**.
To do this, create another PHP file **in the same directory as the payload**.
Example structure:
```
payload.php
loader.php
```
Content of `loader.php`:
```php
```
Explanation:
- `$file = "payload.php";` โ name of the payload file to serve
- `header("Content-Type: application/x-httpd-php");` โ forces the server to return the file as PHP
- `readfile($file);` โ outputs the payload content
This allows the exploit script to download the payload correctly.
---
## 5. Use your payload URL
Upload both files to your server.
Example payload URL:
```
http://your-server.com/loader.php
```
When the script asks for the **payload URL**, provide the link to `loader.php`.
---
## 6. Results
Successful exploited targets will be saved in:
```
shells.txt
```
Example output:
```
https://example.com/wp-content/uploads/peaks/external/{random_numbers}.php
https://target2.com/wp-content/uploads/peaks/external/{random_numbers}.php
```
---
# Keywords
wordpress exploit
wordpress poc
wordpress rce
waveplayer exploit
arbitrary file upload
remote code execution
bug bounty
cve-2025-12057
---
# Disclaimer
This project is provided **for educational purposes and authorized security testing only**.
The author is not responsible for misuse or illegal activities performed using this code.