CVE-2025-8895 Overview
The WP Webhooks plugin for WordPress contains an arbitrary file copy vulnerability due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This path traversal flaw (CWE-22) allows unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. Notably, this can be exploited to copy the contents of wp-config.php into a text file, which can then be accessed via a browser to reveal sensitive database credentials.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to exfiltrate sensitive configuration files including database credentials, potentially leading to complete site compromise.
Affected Products
- WP Webhooks WordPress Plugin versions up to and including 3.3.5
- WordPress installations with vulnerable WP Webhooks plugin versions
Discovery Timeline
- 2025-08-21 - CVE-2025-8895 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-8895
Vulnerability Analysis
This vulnerability stems from a classic path traversal weakness (CWE-22) in the WP Webhooks plugin's file handling functionality. The plugin fails to properly validate and sanitize user-supplied file paths before performing copy operations. Without authentication requirements on the vulnerable endpoint, any remote attacker can craft malicious requests to copy sensitive server files to web-accessible locations.
The primary exploitation scenario involves targeting the wp-config.php file, which contains critical WordPress configuration data including database host, username, password, and table prefix. By copying this file to a publicly accessible directory with a .txt extension, attackers can simply browse to the file and retrieve all database credentials in plaintext.
Root Cause
The root cause of this vulnerability is the absence of input validation on user-supplied file paths within the WP Webhooks plugin's file copy functionality. The plugin does not implement proper path canonicalization or restrict operations to safe directories, allowing directory traversal sequences to escape intended boundaries. Additionally, the vulnerable functionality lacks authentication checks, enabling unauthenticated exploitation.
Attack Vector
The attack vector is network-based, requiring no authentication, user interaction, or special privileges. An attacker can exploit this vulnerability remotely by sending crafted HTTP requests to the vulnerable WordPress installation.
The exploitation process typically follows these steps:
- The attacker identifies a WordPress site running a vulnerable version of WP Webhooks (3.3.5 or earlier)
- A malicious request is crafted specifying the source file (e.g., wp-config.php) and a web-accessible destination path
- The plugin copies the targeted file without validation
- The attacker accesses the copied file via browser to retrieve sensitive credentials
- With database credentials in hand, the attacker can escalate to full site compromise
For technical details on the vulnerability mechanism, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-8895
Indicators of Compromise
- Unexpected .txt files appearing in web-accessible directories containing configuration data
- HTTP access logs showing requests to unusual text files that may contain copied configuration content
- Web server logs indicating requests with path traversal patterns targeting WP Webhooks endpoints
- Unauthorized database access attempts using credentials from wp-config.php
Detection Strategies
- Monitor web server access logs for suspicious file copy requests targeting WP Webhooks plugin endpoints
- Implement file integrity monitoring on sensitive WordPress files including wp-config.php
- Configure alerts for new text files created in public directories that contain database connection strings
- Use web application firewall (WAF) rules to detect and block path traversal attempts
Monitoring Recommendations
- Enable verbose logging for all WordPress plugin activity, particularly file operations
- Implement real-time alerting for unauthorized file access or copy operations on the WordPress installation
- Monitor for anomalous database authentication attempts that could indicate credential theft
- Review web server logs regularly for indicators of exploitation attempts
How to Mitigate CVE-2025-8895
Immediate Actions Required
- Update WP Webhooks plugin to version 3.3.6 or later immediately
- Audit WordPress installations for any unexpected files in web-accessible directories
- Rotate database credentials if exploitation is suspected
- Review access logs for evidence of exploitation attempts prior to patching
Patch Information
The vulnerability has been addressed in WP Webhooks versions after 3.3.5. Administrators should update to the latest available version via the WordPress plugin repository. The patch changeset can be reviewed in the WordPress Plugin Change Log.
For more information about the plugin, visit the WordPress WP Webhooks Plugin page.
Workarounds
- Temporarily disable the WP Webhooks plugin until patching is possible
- Implement web application firewall rules to block path traversal patterns in requests
- Restrict access to WordPress admin and plugin directories via server configuration
- Move wp-config.php one directory level above the WordPress installation root (WordPress supports this natively)
# Example .htaccess rules to restrict plugin directory access
<Directory "/var/www/html/wp-content/plugins/wp-webhooks">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
