Critical

Unauthenticated RCE in Copypress Rest API WordPress Plugin

IdentifiersCVE-2025-8625CWE-434

CVE-2025-8625 is a critical unauthenticated remote code execution vulnerability affecting the Copypress Rest API plugin for WordPress versions 1.1 through 1.2. The issue is a vulnerability chain involving two flaws: the plugin falls back to a hard-coded JWT signing key when no JWT secret is configured, allowing attackers to forge valid authentication tokens, and the copyreap_handle_image() function does not properly restrict or validate uploaded file types. By forging a JWT, an unauthenticated attacker can access protected API functionality and abuse the image handling/upload path to fetch and save an arbitrary file as an attachment, including a PHP script. Because the uploaded file is stored in a web-accessible location, the attacker can then request it through the web server and execute arbitrary code on the target WordPress site.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated attackers to achieve remote code execution on the affected WordPress server. In practical terms, this can result in full compromise of the WordPress site, including deployment of webshells or other malware, arbitrary modification of site content, theft of sensitive data available to the web application, establishment of persistence, and use of the compromised host as a pivot point for further activity.

Mitigation

If you can’t patch tonight, do this now.

Immediately disable the Copypress Rest API plugin on affected sites if patching is not possible. Ensure a unique, strong JWT secret is explicitly configured rather than relying on any default or fallback behavior. Block access to vulnerable REST endpoints where feasible, restrict upload functionality, and configure the web server so uploaded directories cannot execute PHP or other server-side scripts. Review uploaded media and attachment directories for unauthorized files, especially PHP webshells, and rotate credentials and secrets if compromise is suspected.

Remediation

Patch, then assume compromise.

Upgrade the Copypress Rest API plugin to a fixed version if one is available from the vendor or WordPress ecosystem. The vulnerable behavior must be corrected by removing the hard-coded JWT fallback, requiring a securely configured secret for token validation, and enforcing strict server-side validation of uploaded content, including extension, MIME type, and content inspection, while preventing executable files from being stored in web-accessible locations. If no patched release is available, remove or disable the plugin.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

zeropath blogNews

Sep 30, 2025

Copypress Rest API WordPress Plugin CVE-2025-8625: Brief Summary of Critical Remote Code Execution Vulnerability - ZeroPath Blog | ZeroPath

A critical unauthenticated remote code execution vulnerability in the Copypress Rest API WordPress plugin caused by a hard-coded JWT signing key combined with missing file type validation in the upload handler.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-8625

NVD

nvd.nist.gov/vuln/detail/CVE-2025-8625

MITRE CWE · CWE-434

cwe.mitre.org

wordpress.org

wordpress.org/plugins/copypress-rest-api

wordfence.com

wordfence.com/threat-intel/vulnerabilities/id/3045c9e5-4095-48e5-8d9d-16a091e69d54?source=cve