A critical vulnerability has been identified in the WP Webhooks plugin for WordPress, assigned CVE-2025-8895 with a CVSS score of 9.8. This flaw allows unauthenticated attackers to copy arbitrary files on the server, potentially leading to sensitive information disclosure or a complete system compromise through remote code execution. Organizations using this plugin are at immediate risk and should apply the recommended updates without delay.

The plugin fails to properly validate user-supplied input in one of its functions. This allows an unauthenticated attacker to craft a special request that specifies a source file and a destination path on the server's filesystem. An attacker can exploit this to copy sensitive files, such as wp-config.php (containing database credentials), to a web-accessible directory, or to copy a malicious PHP script to a location where it can be executed, resulting in remote code execution (RCE).

This vulnerability is of critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected website and the underlying server. Potential consequences include theft of sensitive data (customer information, intellectual property, credentials), website defacement, service disruption, and the use of the compromised server to launch further attacks. The reputational and financial damage from such a breach could be substantial.

Immediate Action: Immediately update the WP Webhooks plugin for WordPress to the latest patched version (any version after 3.3.5). If an update cannot be performed, disable and uninstall the plugin until patching is possible.

Proactive Monitoring: Review web server access logs for unusual POST or GET requests directed at the WP Webhooks plugin endpoints, particularly those containing file paths. Monitor the filesystem for unexpected new files created in web-accessible directories or modifications to core WordPress files. Implement file integrity monitoring to detect unauthorized changes.

Compensating Controls: If patching is not immediately possible, deploy a Web Application Firewall (WAF) with rules designed to block requests containing directory traversal patterns (../) or suspicious file paths targeting the plugin. Enforce strict file permissions on the web server to limit the web user's ability to write to sensitive directories.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that all organizations using the WP Webhooks plugin apply the vendor-supplied patch or disable the plugin immediately. Although this CVE is not currently listed on the CISA KEV list, its severity warrants treating it with the highest priority to prevent potential exploitation.