CVE-2025-66074
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files to WordPress sites using the WP Webhooks plugin, potentially leading to remote code execution. It affects all WordPress installations with WP Webhooks plugin versions up to and including 3.3.8. Attackers can exploit this without authentication to compromise websites.
💻 Affected Systems
- WP Webhooks WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via webshell upload leading to data theft, defacement, or ransomware deployment.
Likely Case
Website takeover with backdoor installation, credential harvesting, and lateral movement within the hosting environment.
If Mitigated
File upload attempts blocked at WAF level, limiting impact to failed attack attempts.
🎯 Exploit Status
Exploitation requires minimal technical skill and tools are likely available in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 3.3.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find WP Webhooks plugin
4. Click 'Update Now' if available
5. Alternatively, download latest version from WordPress repository and manually update
🔧 Temporary Workarounds
Disable WP Webhooks Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-webhooks
WAF File Upload Blocking
allConfigure WAF to block file uploads to WP Webhooks endpoints
🧯 If You Can't Patch
- Immediately disable WP Webhooks plugin via WordPress admin or command line
- Implement strict file upload filtering at web server level (e.g., .htaccess restrictions for Apache)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WP Webhooks version numberCheck Version:
wp plugin get wp-webhooks --field=versionVerify Fix Applied:
Confirm WP Webhooks version is > 3.3.8 in WordPress admin📡 Detection & Monitoring
Log Indicators:
- File upload attempts to /wp-content/plugins/wp-webhooks/ endpoints
- POST requests with file uploads to unusual paths
- Webshell file creation in upload directories
Network Indicators:
- Unusual file upload traffic to WordPress sites
- POST requests with executable file extensions
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/wp-webhooks/*" AND method="POST" AND file_upload="true")