WordPress Plugin Vulnerabilities

WP Webhooks < 3.3.6 - Unauthenticated Arbitrary File Copy

Description

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.

Affects Plugins

Plugin icon
wp-webhooks
Fixed in 3.3.6

References

CVE
CVE-2025-8895
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/de9c9e1e-3c3c-463a-a78c-d8bc7228da93

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Phat RiO - BlueRock
Verified
No
WPVDB ID
dccc83eb-c458-46b0-81c7-9aaa144a567d

Timeline

Publicly Published
2025-08-20 (about 10 months ago)
Added
2025-08-20 (about 10 months ago)
Last Updated
2025-08-21 (about 10 months ago)

Other

Published
Title
Published
2023-06-12
Title
ND Shortcodes < 7.0 - Subscriber+ LFI
Published
2026-06-05
Title
10WebAdManager <= 1.0.11 - Unauthenticated Arbitrary File Download
Published
2024-06-06
Title
SC filechecker <= 0.6 - Authenticated (Admin+) Arbitrary File Deletion
Published
2024-06-27
Title
Tutor LMS < 2.7.2 - Authenticated (Admin+) Path Traversal
Published
2024-08-15
Title
JetTabs < 2.2.3.1 - Authenticated (Contributor+) Arbitrary Local File Inclusion