CVE-2025-8625
Published: 30 September 2025
Summary
CVE-2025-8625 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating flaws in the Copypress Rest API plugin directly addresses the hard-coded JWT key and unrestricted file uploads enabling RCE.
Validating information inputs in the copyreap_handle_image() function restricts file types to prevent uploading arbitrary PHP scripts.
Proper cryptographic key management eliminates reliance on hard-coded JWT signing keys, blocking token forgery for elevated privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via public web app exploit with forged JWT auth bypass enabling arbitrary PHP file upload as web shell.
NVD Description
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict…
more
which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.
Deeper analysisAI
CVE-2025-8625 is a critical remote code execution vulnerability in the Copypress Rest API plugin for WordPress, affecting versions 1.1 through 1.2. The issue stems from the copyreap_handle_image() function, which falls back to a hard-coded JWT signing key when no secret is defined and fails to restrict file types that can be fetched and saved as attachments. This allows attackers to forge valid JWT tokens, granting elevated privileges and enabling the upload of arbitrary files, such as PHP scripts, directly through the image handler. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-321 (Use of Hard-coded Cryptographic Key).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a forged JWT token using the known hard-coded signing key, they gain elevated privileges to interact with the image handler endpoint. This enables the upload and execution of malicious files, such as PHP webshells, resulting in full remote code execution on the targeted WordPress site.
Advisories from Wordfence and the Copypress Rest API plugin developers on WordPress.org detail mitigation steps and patch information. Security practitioners should refer to https://www.wordfence.com/threat-intel/vulnerabilities/id/3045c9e5-4095-48e5-8d9d-16a091e69d54?source=cve and https://wordpress.org/plugins/copypress-rest-api/#developers for updates, including available patches and remediation guidance.
Details
- CWE(s)