CRITICAL🇵🇱 Wersja polska

CVE-2025-8625

CVSS 9.8v3.1pub. 2025-09-30upd. 2026-04-15

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.

🤖 AI Analysis
How it works

When a custom JWT secret is not defined in the plugin configuration, the plugin uses a built-in, hardcoded signing key (CWE-321). An attacker, knowing this key, can generate their own fully valid JWT token and authenticate as a user with elevated privileges. The copyreap_handle_image() function does not verify the types of downloaded and saved files, allowing an attacker to upload any file – such as a PHP script – as an attachment. Once the script is placed on the server, the attacker can invoke it and execute arbitrary code in the context of the web server.

Impact

An unauthenticated attacker can gain full control over the WordPress server by executing arbitrary server-side code (RCE), which may result in website compromise, data theft, or further lateral movement in the network.

Mitigation & patch

The Copypress Rest API plugin must be immediately updated to a version higher than 1.2 or removed from the environment until a patch is available. Detailed information about available fixes should be checked in the vendor references (wordpress.org/plugins/copypress-rest-api) and in the Wordfence report.

Who is affected

Copypress Rest API plugin for WordPress in versions 1.1 and 1.2.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References