CVE-2025-66074 is a critical security vulnerability affecting the WP Webhooks plugin developed by Cozmoslabs for WordPress, specifically versions up to and including 3.3.8. The vulnerability is characterized by an unrestricted file upload flaw that allows attackers to upload files with dangerous types without proper validation or restriction. Additionally, the issue involves a path traversal vulnerability, which can be exploited to write files outside the intended directories, potentially overwriting critical files or placing malicious payloads in executable locations. The attack vector requires network access (AV:N), low attack complexity (AC:L), and low privileges (PR:L), but does require user interaction (UI:R), such as tricking a user with limited privileges to perform an action that triggers the upload. The vulnerability affects the confidentiality, integrity, and availability of the affected systems, as attackers can upload web shells or malware leading to remote code execution, data exfiltration, or site defacement. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the high CVSS score (9.0) reflects the criticality and potential impact. The vulnerability was reserved in November 2025 and published in December 2025, indicating recent discovery. The plugin is widely used in WordPress environments, which are common in many European organizations for websites and e-commerce platforms. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the WP Webhooks plugin installed. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to gain persistent access, steal sensitive data, disrupt services, or deface websites. This is particularly critical for sectors such as government, finance, healthcare, and e-commerce, where data confidentiality and service availability are paramount. The path traversal aspect increases the risk by enabling attackers to place malicious files in sensitive directories, potentially compromising the entire web server or connected infrastructure. Given the widespread use of WordPress across Europe, organizations with limited patch management capabilities or those unaware of this plugin's presence are at heightened risk. The requirement for user interaction and low privilege means insider threats or social engineering attacks could facilitate exploitation. The impact extends beyond individual sites to potentially affect supply chains and customer trust, with regulatory implications under GDPR if personal data is compromised.

1. Immediately identify and inventory all WordPress installations using the WP Webhooks plugin and verify the version in use. 2. Apply patches or updates from Cozmoslabs as soon as they become available; monitor vendor channels for official fixes. 3. In the absence of patches, implement strict file upload restrictions at the web server or application firewall level to block dangerous file types and suspicious payloads. 4. Employ input validation and sanitization on all webhook endpoints to prevent unauthorized file uploads and path traversal attempts. 5. Restrict user privileges to the minimum necessary, especially for roles that can trigger webhook actions or file uploads. 6. Monitor logs and network traffic for unusual upload activity or access patterns indicative of exploitation attempts. 7. Use web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting this vulnerability. 8. Educate users about phishing and social engineering risks that could lead to the required user interaction for exploitation. 9. Conduct regular security audits and penetration testing focused on webhook and file upload functionalities. 10. Consider isolating or sandboxing WordPress environments to limit the blast radius of potential compromises.