Webhooks < 3.3.9 – Unauthenticated Arbitrary File Upload | CVE 2025-66074 | Plugin Vulnerabilities

Description

The WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 3.3.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e402e3e-7b11-4931-8a4b-a80d26b9eb04

Miscellaneous

Original Researcher

Phat RiO - BlueRock

Verified

No

WPVDB ID

bba2e1b3-7403-41a1-a88b-cd5d23d79f83

Timeline

Publicly Published

2025-12-12 (about 6 months ago)

Added

2025-12-19 (about 6 months ago)

Last Updated

2025-12-19 (about 6 months ago)

Other

Published

Title

Published

2014-08-01

Title

WP Marketplace 1.2.1 - File Enumeration Weakness & File Upload Vulnerabilities

Published

2026-04-07

Title

DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter

Published

2025-02-11

Title

Security & Malware scan by CleanTalk < 2.150 - Unauthenticated Arbitrary File Upload

Published

2026-05-18

Title

Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload

Published

2025-08-21

Title

Portfolio Manager Pro 3.8 - Unauthenticated Arbitrary File Upload