Platform
wordpress
Component
mayosis-core
Fixed in
5.4.2
CVE-2025-1565 describes an Arbitrary File Read vulnerability discovered in the Mayosis Core WordPress plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information like configuration files, database credentials, or source code. The vulnerability affects versions 0.0.0 through 5.4.1, and a patch is expected to be released by the vendor.
Successful exploitation of CVE-2025-1565 allows an attacker to read any file accessible by the web server process. This could include sensitive configuration files containing database passwords, API keys, or other credentials. Attackers could also potentially access source code, revealing internal logic and further vulnerabilities. The impact is significant as it requires no authentication, making it easily exploitable by a wide range of attackers. The ability to read arbitrary files could lead to complete compromise of the WordPress instance and potentially the underlying server.
CVE-2025-1565 was publicly disclosed on 2025-04-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a PoC is likely to emerge quickly. It is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The NVD record was published on 2025-04-25.
Exploit Status
EPSS
1.25% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1565 is to upgrade Mayosis Core to a patched version as soon as it becomes available. Until a patch is released, consider restricting access to the library/wave-audio/peaks/remotedl.php file using your web server's configuration (e.g., .htaccess for Apache, or equivalent for Nginx). Implement a Web Application Firewall (WAF) rule to block requests to this file. Carefully review file permissions on the server to ensure that the web server process has only the necessary access to files. After upgrading, verify the fix by attempting to access library/wave-audio/peaks/remotedl.php through a web browser; it should return a 403 Forbidden error.
Actualice el plugin Mayosis Core a la última versión disponible para solucionar esta vulnerabilidad. Verifique la página de soporte del plugin o el repositorio de WordPress para obtener la versión más reciente y las instrucciones de actualización. Esta actualización corrige la vulnerabilidad de lectura arbitraria de archivos, protegiendo su sitio web de accesos no autorizados a archivos sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1565 is a vulnerability in the Mayosis Core WordPress plugin that allows unauthenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if your WordPress site uses the Mayosis Core plugin and is running version 0.0.0 through 5.4.1. Check your plugin versions immediately.
Upgrade Mayosis Core to the latest available version as soon as a patch is released. Until then, restrict access to the vulnerable file using web server configuration or a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited soon.
Check the Mayosis Core plugin website or WordPress plugin repository for updates and advisories related to CVE-2025-1565.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.