What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.
CVE-2025-66073
HIGH
CVE-2025-66073: WordPress WP Webhooks plugin <= 3.3.8 - PHP Object Injection vulnerability
CVSS base score
7.2/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
WP Webhooks versions 3.3.8 and earlier contain a deserialization vulnerability that allows high-privilege users to execute arbitrary PHP code on the site. An attacker with administrator or equivalent access can craft malicious serialized data to trigger code execution. This affects all installations of the plugin up to version 3.3.8.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full site privileges.
Potential impact on your site
04Site Impact
A compromised admin account can fully compromise the site, steal data, or modify content.
Conditions required to exploit
05Prerequisites
Attacker must have high-level site access (administrator role or equivalent).
Key dates
06Disclosure timeline
November 21, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-56291 WordPress PlainInventory – Inventory Management Plugin Plugin <= 3.1.6 - PHP Object Injection vulnerability
CVE-2021-20318
CVE-2026-41586 ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
CVE-2026-23542 WordPress Grand Restaurant theme <= 7.0.10 - PHP Object Injection vulnerability
CVE-2026-33112 Microsoft SharePoint Server Remote Code Execution Vulnerability
