Arbitrary File Copy Vulnerability in WP Webhooks Plugin for WordPress
CVE-2025-8895

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WP Webhooks – Automate Repetitive Tasks By Creating Powerful Automation Workflows Directly Within WordPress
Vendor: CVE Published:; 21 August 2025

What is CVE-2025-8895?

The WP Webhooks plugin for WordPress suffers from a critical vulnerability that allows unauthenticated attackers to execute arbitrary file copy operations. This issue arises due to inadequate validation of user-supplied input across all versions up to and including 3.3.5. Attackers could exploit this flaw to copy sensitive files, such as the wp-config.php file, to easily accessible locations on the server. This could lead to the exposure of critical database credentials and other sensitive information, putting the affected site at significant risk.

Affected Version(s)

WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress * <= 3.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-webhooks

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2025
Vulnerability Reserved
Aug 12, 2025

Credit

Nguyen Tan Phat

JSON