CVE-2025-66074 in WP Webhooks Plugin
Summary
by MITRE • 12/18/2025
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/18/2025
The vulnerability identified as CVE-2025-66074 represents a critical security flaw in the Cozmoslabs WP Webhooks plugin for WordPress systems. This issue manifests as an unrestricted file upload vulnerability that permits malicious actors to upload files with potentially dangerous types, creating a significant risk for affected WordPress installations. The vulnerability specifically impacts versions of the WP Webhooks plugin ranging from the initial release through version 3.3.8, indicating a wide attack surface across multiple iterations of the software. The flaw enables unauthorized users to bypass normal file validation mechanisms and potentially execute arbitrary code on the affected systems.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the plugin's file upload functionality. When users attempt to upload files through the webhooks interface, the system fails to properly restrict file types or validate the content of uploaded files. This allows attackers to upload files with extensions that could execute server-side code, such as php, aspx, or other scripting languages. The path traversal component of this vulnerability further amplifies the risk by enabling attackers to manipulate file paths and potentially write malicious files to arbitrary locations within the web server's directory structure. This combination creates a pathway for remote code execution and complete system compromise.
The operational impact of this vulnerability extends beyond simple data theft or service disruption. Attackers can leverage this flaw to establish persistent backdoors, escalate privileges, and gain full control over affected WordPress installations. The unrestricted nature of the file upload means that malicious actors can deploy web shells, malware, or other persistent threat tools that remain undetected for extended periods. Organizations running vulnerable versions of the WP Webhooks plugin face significant risk of data breaches, website defacement, and potential use as launching points for broader network attacks. The vulnerability's presence in multiple versions suggests that many WordPress sites may remain exposed for extended periods without proper patching or mitigation.
Security professionals should prioritize immediate remediation of this vulnerability by upgrading to the latest version of the WP Webhooks plugin where the issue has been addressed. Additionally, implementing network-based restrictions on file upload functionality and monitoring for suspicious file uploads can provide additional defense layers. The vulnerability aligns with CWE-434, which specifically addresses the insecure upload of files with dangerous types, and maps to ATT&CK techniques related to initial access through web shell deployment and privilege escalation. Organizations should also consider implementing web application firewalls and content delivery network protections to prevent exploitation attempts. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other WordPress plugins and themes that may present similar security risks.