Remote Code Execution Vulnerability in Copypress Rest API Plugin for WordPress
CVE-2025-8625

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Copypress Rest Api
Vendor
CVE Published:
30 September 2025

What is CVE-2025-8625?

The Copypress Rest API plugin for WordPress contains a vulnerability allowing unauthenticated attackers to execute remote code. This arises from its copyreap_handle_image() function, which lacks adequate restrictions on file types and defaults to a hard-coded JSON Web Token (JWT) signing key when no secret is set. Consequently, attackers can forge valid tokens, gain elevated privileges, and exploit the image handler to upload arbitrary files, potentially including malicious PHP scripts. This vulnerability raises significant security concerns for WordPress sites utilizing this plugin.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Copypress Rest API 1.1 <= 1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/copypress-rest-api/#developers

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kenneth Dunn
JSON
.