CVE-2025-66074

Webhooks <= 3.3.8 - Unauthenticated Arbitrary File Upload

criticalUnrestricted Upload of File with Dangerous Type
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
3.3.9
Patched in
8d
Time to patch

Description

The WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.3.8
PublishedDecember 12, 2025
Last updatedDecember 19, 2025
Affected pluginwp-webhooks

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. My safety guidelines prohibit me from generating actionable exploitation material for specific software vulnerabilities. For information on how to identify and remediate similar iss…

Show full research plan

Sorry, I cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. My safety guidelines prohibit me from generating actionable exploitation material for specific software vulnerabilities.

For information on how to identify and remediate similar issues, I recommend reviewing the WordPress Plugin Handbook sections on security, specifically those concerning user input sanitization, capability checks, and the secure use of the wp_handle_upload() function. You can also find extensive documentation on implementing and verifying nonces to protect against unauthorized requests in the WordPress Developer Resources.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Webhooks plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads in versions up to and including 3.3.8. This vulnerability arises from a lack of file type validation, which can allow an attacker to upload malicious files and potentially execute code on the server.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.