CVE-2025-8625

CRITICAL LAB

Copypress Rest API 1.1-1.2 - Unauthenticated Remote Code Execution via JWT Token Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-8625. PoCs published by Nxploited, ret0x2A, Boshe99.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2025-8625, targeting the Copypress REST API plugin for WordPress (versions 1.1 to 1.2). The exploit leverages a hardcoded JWT secret and missing file-type validation to achieve unauthenticated remote code execution by uploading a malicious file via the image handler endpoint.

Description

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.

Exploits (3)

github WORKING POC 2 stars
by Nxploited · pythonpoc
https://github.com/Nxploited/CVE-2025-8625

The repository contains a functional Python exploit for CVE-2025-8625, targeting the Copypress REST API plugin for WordPress (versions 1.1 to 1.2). The exploit leverages a hardcoded JWT secret and missing file-type validation to achieve unauthenticated remote code execution by uploading a malicious file via the image handler endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Copypress REST API plugin for WordPress (versions 1.1 to 1.2)
No auth needed
Prerequisites: Target WordPress site with vulnerable Copypress REST API plugin installed · Access to a hosted malicious file (e.g., PHP shell)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 1 stars
by ret0x2A · pythonpoc
https://github.com/ret0x2A/CVE-2025-8625

This repository contains a functional exploit for CVE-2025-8625, targeting a WordPress vulnerability via JWT token manipulation to achieve remote code execution (RCE). The exploit leverages a hardcoded JWT secret to generate a valid token, then uploads a malicious PHP shell to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific version not specified, but likely a plugin or core vulnerability)
No auth needed
Prerequisites: Knowledge of the hardcoded JWT secret · Access to the target WordPress instance · Ability to upload files to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-8625

The repository contains functional exploit code for CVE-2025-8625, targeting an arbitrary file upload vulnerability in the WordPress Plugin 3DPrint Lite 1.9.1.4. The exploit demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · malicious file to upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0055
EPSS Percentile 41.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:latest

Details

CWE
CWE-321
Status published
Published Sep 30, 2025
Tracked Since Feb 18, 2026