CVE-2025-1565 - Vulnerability Details

- Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read

Description

The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Published: 2025-04-25

Score: 7.5 High

EPSS: 1.3% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Mayosis Core allows an unauthenticated user to retrieve any file stored on the web server through the remote_dl.php endpoint. Because the plugin does not validate the requested file path, attackers can direct requests to system files, configuration files, or other sensitive data, potentially exposing credentials or secrets. This weakness, characterized as a CWE‑22 path traversal flaw, directly compromises confidentiality by allowing eavesdropping on sensitive server contents.

Affected Systems

The affected vendor is TeconceTheme with the Mayosis Core WordPress plugin version 5.4.1 and earlier. No additional products or versions are listed in the vendor’s enumeration, so only installations of Mayosis Core at or below 5.4.1 are susceptible.

Risk and Exploitability

The CVSS score of 7.5 places this issue in the high severity range. An EPSS score of 1% indicates that a very low, but not negligible, proportion of vulnerability scanners or exploit tools are likely to target this weakness. The issue is not currently listed in the CISA KEV catalog. Exploitation requires no special privileges or authenticated access; any internet‑connected user can craft a request to remote_dl.php and obtain the contents of arbitrary files, assuming no server‑side restrictions are in place. This local filesystem read can lead to disclosure of critical data supporting further attacks such as credential stuffing or application compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TeconceTheme

Mayosis Core

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.4.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Mayosis Core to the latest release (5.4.2 or newer) to remove the vulnerable endpoint.
If an immediate update is not possible, delete or rename the remote_dl.php file so it cannot be accessed remotely.
Reconfigure the web server or use a firewall rule to deny HTTP and HTTPS requests to any file ending with ‘remote_dl.php’ or located under the wave‑audio/peaks directory.

Generated by OpenCVE AI on April 20, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12544	The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01253.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://themeforest.net/item/mayosis-digital-marketplace-theme/20210200
https://www.wordfence.com/threat-intel/vulnerabilities/id/b967eb98-69f8-41c5-a19a-9d20979accb0?source=cve

History

Fri, 25 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 25 Apr 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title		Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read
Weaknesses		CWE-22
References		https://themeforest.net/item/mayosis-digital-marketplace-theme/20210200 https://www.wordfence.com/threat-intel/vulnerabilities/id/b967eb98-69f8-41c5-a19a-9d20979accb0?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-25T09:21:41.127Z

Updated: 2026-04-08T17:18:00.600Z

Reserved: 2025-02-21T17:21:55.711Z

Link: CVE-2025-1565

Vulnrichment

Updated: 2025-04-25T14:27:51.560Z

NVD

Status : Deferred

Published: 2025-04-25T10:15:15.557

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1565

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object