How ZeroPath Works
Back to Blog

Copypress Rest API WordPress Plugin CVE-2025-8625: Brief Summary of Critical Remote Code Execution Vulnerability

Brief summary of CVE-2025-8625, a critical remote code execution vulnerability in Copypress Rest API WordPress plugin versions 1.1 to 1.2, caused by a hard-coded JWT signing key and lack of file type validation. Includes technical details and affected versions.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-30

Copypress Rest API WordPress Plugin CVE-2025-8625: Brief Summary of Critical Remote Code Execution Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can achieve remote code execution on WordPress sites running vulnerable versions of the Copypress Rest API plugin without authentication. This vulnerability enables adversaries to upload and execute arbitrary files, including PHP scripts, potentially resulting in full compromise of affected sites.

Copypress Rest API is a WordPress plugin that extends REST API capabilities for content management. While not among the largest plugins in the ecosystem, its presence in production sites highlights the ongoing risks posed by third-party extensions in the WordPress landscape. The plugin was temporarily closed by the WordPress Plugin Review Team on September 26, 2025, following the discovery of this critical flaw.

Technical Information

CVE-2025-8625 combines two distinct security failures in Copypress Rest API plugin versions 1.1 to 1.2:

  1. Hard-coded JWT Signing Key: The plugin uses JWT for authentication. If no secret is configured, it falls back to a hard-coded signing key embedded in the plugin code. This allows anyone with knowledge of the key (which is public due to its presence in the source) to forge valid JWT tokens for any site using the plugin with default settings. This bypasses authentication and grants attacker-level access to protected API endpoints.

  2. Missing File Type Validation in copyreap_handle_image(): The plugin's image handler function does not restrict which file types can be uploaded and saved as attachments. As a result, attackers can upload arbitrary files, including PHP scripts, through the API endpoint. Uploaded files are stored in locations accessible by the web server, enabling direct execution.

Attack Flow:

  • An attacker forges a valid JWT token using the hard-coded signing key.
  • The attacker submits a request to the vulnerable image handler endpoint, uploading a malicious file (such as a PHP webshell).
  • The plugin saves the file without validation.
  • The attacker accesses the uploaded file via the web server, achieving remote code execution.

Root Cause:

  • Use of a hard-coded cryptographic key for JWT signing (CWE-321).
  • Lack of file type or content validation in file upload logic.

No public code snippets are available in advisories or research at this time.

Affected Systems and Versions

  • Product: Copypress Rest API WordPress plugin
  • Affected versions: 1.1 to 1.2
  • All configurations using the plugin in these versions are vulnerable, especially if the JWT secret is not explicitly set.

Vendor Security History

  • The plugin was closed by the WordPress Plugin Review Team on September 26, 2025, due to this vulnerability.
  • No additional public record of prior vulnerabilities or security incidents for this plugin or vendor was found.

References

Detect & fix
what others miss

Get startedBook a demo