CVE-2025-8895
Published: 21 August 2025
Summary
CVE-2025-8895 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8895 is an arbitrary file copy vulnerability in the WP Webhooks plugin for WordPress, affecting all versions up to and including 3.3.5. The flaw arises from missing validation of user-supplied input, enabling attackers to copy arbitrary files on the affected site's server to arbitrary locations. It is classified under CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the file copy capability, they can, for example, duplicate sensitive files like wp-config.php into a web-accessible text file, allowing browser-based retrieval of database credentials and potentially enabling further compromise such as full site takeover.
Patches addressing this issue are available, as indicated by a changeset in the WordPress plugin trac repository (from revision 3327632 to 3347509 in the wp-webhooks trunk). Security practitioners should update to a version beyond 3.3.5. Further details on the vulnerability and remediation are provided in advisories from Wordfence and the plugin's official WordPress.org page.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25429
Vulnerability details
The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the…
more
affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of public-facing WordPress plugin via path traversal for arbitrary file operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied input such as file paths, preventing path traversal attacks that enable arbitrary file copying in the WP Webhooks plugin.
Mandates identification, reporting, and timely remediation of flaws like CVE-2025-8895 by updating the plugin to a patched version beyond 3.3.5.
Enforces access controls on public web systems like WordPress to protect against unauthorized access to resources via unauthenticated endpoints exploited in this vulnerability.