A critical remote code execution (RCE) vulnerability has been identified in the WavePlayer WordPress plugin. The flaw allows any unauthenticated attacker on the internet to upload an arbitrary file to the server, which can be used to gain complete control over the affected website. Successful exploitation could lead to total system compromise, data theft, and significant service disruption.

The vulnerability exists due to two combined flaws within an AJAX action of the WavePlayer plugin. First, the function lacks proper authorization checks, allowing it to be triggered by unauthenticated users. Second, it fails to validate the file being copied to the server. An unauthenticated attacker can craft a malicious request to this AJAX endpoint, instructing the server to download and save a file from an attacker-controlled URL to a location on the web server, resulting in an arbitrary file upload. By uploading a malicious PHP script (a webshell), the attacker can then execute arbitrary commands on the server with the permissions of the web server process, leading to a full remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. The business impact of a successful exploit is severe and can lead to a complete compromise of the web server. Potential consequences include the theft of sensitive data such as customer information, payment details, and intellectual property; website defacement and reputational damage; and the use of the compromised server as a platform for further attacks, such as distributing malware or participating in a botnet. Since the vulnerability is exploitable by an unauthenticated attacker, any publicly accessible website using a vulnerable version of the plugin is at high risk of compromise.

Immediate Action: Immediately update the WavePlayer WordPress plugin to the latest patched version (3.8.0 or later). After updating, review server access logs and file systems for any signs of compromise, such as unexpected file uploads or suspicious POST requests to /wp-admin/admin-ajax.php.

Proactive Monitoring: System administrators should actively monitor web server access logs for unusual POST requests to the admin-ajax.php endpoint, particularly those associated with WavePlayer actions. Implement file integrity monitoring on web-accessible directories (e.g., wp-content/uploads) to detect the creation of unauthorized files, especially those with extensions like .php, .phtml, or .php5.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Disable the WavePlayer plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the vulnerable AJAX action.
• Restrict file permissions in the uploads directory to prevent the execution of scripts.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the availability of a public exploit, this vulnerability poses an immediate and severe threat to all organizations using a vulnerable version of the WavePlayer plugin. We strongly recommend that organizations apply the security update provided by the vendor without delay. Due to the unauthenticated nature of the vulnerability, organizations should treat this as an emergency patching situation and assume potential compromise if running an unpatched version. A thorough investigation for indicators of compromise, such as webshells or suspicious outbound traffic, is highly advised.