CVE-2025-8895
📋 TL;DR
The WP Webhooks WordPress plugin allows unauthenticated attackers to copy arbitrary files on the server due to improper input validation. This can lead to exposure of sensitive files like wp-config.php containing database credentials. All WordPress sites using WP Webhooks version 3.3.5 or earlier are affected.
💻 Affected Systems
- WP Webhooks WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via database credential theft, leading to data exfiltration, site defacement, or ransomware deployment.
Likely Case
Database credential theft leading to unauthorized database access, data manipulation, or privilege escalation.
If Mitigated
Limited impact if file permissions restrict sensitive file access or web server configuration prevents execution of copied files.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication. Public exploit code is not confirmed but trivial to develop.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Webhooks plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.3.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable WP Webhooks Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate wp-webhooks
Restrict Plugin Access
allUse web application firewall to block requests to wp-webhooks endpoints.
# Add to .htaccess for Apache:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/plugins/wp-webhooks/ - [F,L]
</IfModule>
# Add to nginx config:
location ~* /wp-content/plugins/wp-webhooks/ {
deny all;
}
🧯 If You Can't Patch
- Immediately disable WP Webhooks plugin via WordPress admin or command line.
- Implement strict file permissions (644 for files, 755 for directories) and disable PHP execution in uploads directories.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins, or run: wp plugin get wp-webhooks --field=versionCheck Version:
wp plugin get wp-webhooks --field=versionVerify Fix Applied:
Confirm WP Webhooks version is 3.3.6 or higher via WordPress admin or command: wp plugin get wp-webhooks --field=version📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/wp-webhooks/ endpoints with file copy parameters
- Unusual file creation in web-accessible directories
- Access to sensitive files like wp-config.php from unexpected locations
Network Indicators:
- POST/GET requests to wp-webhooks endpoints with source/destination file parameters
- Traffic patterns showing file copy operations
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/wp-webhooks/" OR user_agent CONTAINS "wp-webhooks") AND (params CONTAINS "file" OR params CONTAINS "copy" OR params CONTAINS "source" OR params CONTAINS "destination")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3347509%40wp-webhooks%2Ftrunk&old=3327632%40wp-webhooks%2Ftrunk&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wp-webhooks
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de9c9e1e-3c3c-463a-a78c-d8bc7228da93?source=cve
