Plattform
wordpress
Komponente
mayosis-core
Behoben in
5.4.2
CVE-2025-1565 describes an Arbitrary File Read vulnerability discovered in the Mayosis Core WordPress plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information like configuration files, database credentials, or source code. The vulnerability affects versions 0.0.0 through 5.4.1, and a patch is expected to be released by the vendor.
An attacker exploiting CVE-2025-1565 can leverage the library/wave-audio/peaks/remote_dl.php file to read any file accessible by the webserver process. This could include configuration files containing database credentials, API keys, or other sensitive data. Successful exploitation could lead to complete server compromise, data breaches, and unauthorized access to systems. The impact is particularly severe in shared hosting environments where multiple websites share the same server resources.
CVE-2025-1565 was publicly disclosed on 2025-04-25. While no public exploits have been confirmed, the ease of exploitation makes it a likely target for automated scanners and malicious actors. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is expected to emerge given the vulnerability's simplicity.
WordPress websites using the Mayosis Core plugin, particularly those running versions 0.0.0 through 5.4.1, are at risk. Shared hosting environments where users have limited control over file permissions are especially vulnerable, as attackers could potentially leverage this vulnerability to access files belonging to other users on the same server.
• wordpress / composer / npm:
grep -r 'remote_dl.php' /var/www/html/wp-content/plugins/mayosis-core/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/mayosis-core/library/wave-audio/peaks/remote_dl.php• wordpress / composer / npm:
wp plugin list --status=inactive | grep mayosis-coredisclosure
Exploit-Status
EPSS
1.25% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-1565 is to upgrade the Mayosis Core plugin to a version that addresses the vulnerability. If immediate upgrading is not possible, implement a Web Application Firewall (WAF) rule to block requests to the library/wave-audio/peaks/remote_dl.php endpoint. Additionally, restrict file system permissions to prevent the webserver user from accessing sensitive files. Regularly review file system permissions to ensure they adhere to the principle of least privilege.
Actualice el plugin Mayosis Core a la última versión disponible para solucionar esta vulnerabilidad. Verifique la página de soporte del plugin o el repositorio de WordPress para obtener la versión más reciente y las instrucciones de actualización. Esta actualización corrige la vulnerabilidad de lectura arbitraria de archivos, protegiendo su sitio web de accesos no autorizados a archivos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-1565 is a vulnerability in the Mayosis Core WordPress plugin that allows unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if your WordPress site uses the Mayosis Core plugin and is running version 0.0.0 through 5.4.1. Check your plugin versions immediately.
Upgrade Mayosis Core to the latest available version as soon as a patch is released. Until then, restrict access to the vulnerable file using web server configuration or a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited soon.
Check the Mayosis Core plugin website or WordPress plugin repository for updates and advisories related to CVE-2025-1565.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.