CVE-2025-1565
Published: 25 April 2025
Summary
CVE-2025-1565 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Mayosis Core plugin for WordPress is vulnerable to arbitrary file read in all versions through 5.4.1. The flaw exists in the library/wave-audio/peaks/remote_dl.php component and stems from improper path handling classified as CWE-22, allowing unauthenticated network attackers to retrieve the contents of arbitrary server files.
An unauthenticated attacker can send crafted requests to the affected endpoint and obtain sensitive information stored on the server, such as configuration data or other restricted files, without any user interaction or privileges.
Public references point to the vendor's ThemeForest listing for the Mayosis digital marketplace theme and to a detailed entry on the Wordfence threat-intelligence platform, though no specific patch or mitigation guidance is supplied in the available references.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0125, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12544
Vulnerability details
The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…
more
server, which can contain sensitive information.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.