A critical vulnerability has been identified in the Copypress Rest API plugin for WordPress, rated with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to execute arbitrary code remotely on the web server, potentially leading to a complete compromise of the affected website. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.

The vulnerability exists within the copyreap_handle_image() function. The plugin uses a hard-coded JSON Web Token (JWT) signing key as a fallback mechanism for authentication. An unauthenticated attacker who knows this hard-coded key can forge a valid JWT, bypass authentication checks, and send a malicious request to the vulnerable function. This allows the attacker to upload and execute arbitrary code on the server, resulting in a full system compromise.

This vulnerability is of critical severity with a CVSS score of 9.8, indicating a high potential for widespread and severe damage. Exploitation allows for Remote Code Execution (RCE), giving an attacker complete control over the web server. The potential consequences include theft of sensitive data (customer information, intellectual property), financial loss, reputational damage from website defacement, and the use of the compromised server to attack other systems. This vulnerability poses a direct threat to the confidentiality, integrity, and availability of the affected WordPress site and its underlying infrastructure.

Immediate Action: Immediately update the Copypress Rest API plugin to the latest version available from the vendor, which addresses this vulnerability. After patching, review server access logs and file systems for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Monitor web server and API logs for unusual requests targeting the Copypress Rest API, specifically the copyreap_handle_image() endpoint. Scrutinize logs for requests authenticated with JWTs that originate from unknown or untrusted IP addresses. Monitor file systems for any suspicious or unexpected files, particularly in WordPress upload directories.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable and deactivate the Copypress Rest API plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules specifically designed to block malicious requests attempting to exploit this vulnerability.
• Restrict access to the WordPress REST API endpoints to only trusted IP addresses at the network or web server level.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the potential for a complete system compromise, immediate action is required. Organizations must prioritize applying the vendor-supplied patch to all vulnerable instances of the Copypress Rest API plugin. Although this vulnerability is not currently listed on the CISA KEV catalog, its high severity and the ease of exploitation make it a prime target for attackers. Proactive patching is the most effective defense to prevent a security breach.