Cyber Resilience

CVE-2025-1565

High

Published: 25 April 2025

Published
25 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0055 68.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1565 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Mayosis Core plugin for WordPress is vulnerable to arbitrary file read in all versions through 5.4.1. The flaw exists in the library/wave-audio/peaks/remote_dl.php component and stems from improper path handling classified as CWE-22, allowing unauthenticated network attackers to retrieve the contents of arbitrary server files.

An unauthenticated attacker can send crafted requests to the affected endpoint and obtain sensitive information stored on the server, such as configuration data or other restricted files, without any user interaction or privileges.

Public references point to the vendor's ThemeForest listing for the Mayosis digital marketplace theme and to a detailed entry on the Wordfence threat-intelligence platform, though no specific patch or mitigation guidance is supplied in the available references.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0125, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the…

more

server, which can contain sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References