Cyber Resilience

CVE-2025-8895

Critical

Published: 21 August 2025

Published
21 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 67.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8895 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8895 is an arbitrary file copy vulnerability in the WP Webhooks plugin for WordPress, affecting all versions up to and including 3.3.5. The flaw arises from missing validation of user-supplied input, enabling attackers to copy arbitrary files on the affected site's server to arbitrary locations. It is classified under CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the file copy capability, they can, for example, duplicate sensitive files like wp-config.php into a web-accessible text file, allowing browser-based retrieval of database credentials and potentially enabling further compromise such as full site takeover.

Patches addressing this issue are available, as indicated by a changeset in the WordPress plugin trac repository (from revision 3327632 to 3347509 in the wp-webhooks trunk). Security practitioners should update to a version beyond 3.3.5. Further details on the vulnerability and remediation are provided in advisories from Wordfence and the plugin's official WordPress.org page.

EU & UK References

Vulnerability details

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the…

more

affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of public-facing WordPress plugin via path traversal for arbitrary file operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22
CVE-2026-1810Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied input such as file paths, preventing path traversal attacks that enable arbitrary file copying in the WP Webhooks plugin.

prevent

Mandates identification, reporting, and timely remediation of flaws like CVE-2025-8895 by updating the plugin to a patched version beyond 3.3.5.

prevent

Enforces access controls on public web systems like WordPress to protect against unauthorized access to resources via unauthenticated endpoints exploited in this vulnerability.

References