Vulnerability Description
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/copypress-rest-api/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3045c9e5-4095-48e5-8d9
FAQ
What is CVE-2025-8625?
CVE-2025-8625 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key wh...
How severe is CVE-2025-8625?
CVE-2025-8625 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-8625?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.