CVE-2025-8625 CRITICAL

CVE-2025-8625: Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution

Vendor Copypressdev
Product Copypress Rest API
Weakness CWE-321
Published September 30, 2025
Last update September 30, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

Copypress Rest API versions 1.1 through 1.2 contain a use of hard-coded cryptographic key vulnerability (CWE-321). An attacker with network access can exploit this flaw without authentication to read sensitive data, modify site content, or disrupt service. The vulnerability affects the API's cryptographic operations and requires no user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, or disrupt service without authentication.

Potential impact on your site

04Site Impact

Attackers can access, modify, or delete data and functionality through the REST API without logging in.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable API endpoint; no authentication required.

Key dates

06Disclosure timeline

September 30, 2025 CVE published
September 30, 2025 Record updated