WP Webhooks

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.

Basic Information

ID CVE-2025-8895

Source Wordfence

Published Aug 21, 2025 at 07:26

Affected Product

Vendor cozmoslabs

Product WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress

Version *

Affected Versions cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress *

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.",
    "published": "2025-08-21T07:26:35.909Z",
    "modified": "2025-08-21T07:26:35.909Z",
    "type": "cve",
    "title": "WP Webhooks  <= 3.3.5 - Unauthenticated Arbitrary File Copy",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de9c9e1e-3c3c-463a-a78c-d8bc7228da93?source=cve\nhttps://wordpress.org/plugins/wp-webhooks\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3347509%40wp-webhooks%2Ftrunk&old=3327632%40wp-webhooks%2Ftrunk&sfp_email=&sfph_mail=",
    "id": "CVE-2025-8895",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "cozmoslabs WP Webhooks \u2013 Automate repetitive tasks by creating powerful automation workflows directly within WordPress *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Webhooks \u2013 Automate repetitive tasks by creating powerful automation workflows directly within WordPress",
    "version": "*",
    "vendor": "cozmoslabs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WP Webhooks <= 3.3.5 - Unauthenticated Arbitrary File Copy_CVE-2025-8895