CVE-2025-66073 - Vulnerability Details

- WordPress WP Webhooks plugin <= 3.3.8 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.

Published: 2025-11-21

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Webhooks plugin contains a deserialization flaw that permits PHP object injection through untrusted data handling. This vulnerability, mapped to CWE-502, can allow an attacker to instantiate malicious objects and ultimately execute arbitrary code on the target server. A successful exploitation would compromise the confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

All installations of the Cozmoslabs WP Webhooks plugin with versions up to and including 3.3.8 are vulnerable. The issue applies from the first released version of the plugin through version 3.3.8. (The exact minimum affected version is not specified.)

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The plugin processes serialized data that can be crafted by an attacker, and the vulnerability can be triggered via the plugin’s public interfaces. The likely attack vector is a remote user sending a malicious payload to the plugin’s endpoint; authentication is not required if the endpoint is exposed, but the worst case assumes attacker could leverage the plugin from any authenticated user. This CVE is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cozmoslabs

WP Webhooks

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.3.8

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cozmoslabs WP Webhooks to a version that contains the fix (generally 3.3.9 or later).
If an upgrade cannot be performed immediately, restrict access to the plugin’s deserialization endpoints to administrators or through a firewall rule that blocks external requests to those URLs.
If the plugin is not essential, deactivate or uninstall it until a patched version is available.

Generated by OpenCVE AI on April 29, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve

History

Wed, 29 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve

Mon, 24 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Fri, 21 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 21 Nov 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.
Title		WordPress WP Webhooks plugin <= 3.3.8 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-11-21T12:29:56.667Z

Updated: 2026-04-28T16:14:15.776Z

Reserved: 2025-11-21T11:20:58.862Z

Link: CVE-2025-66073

Vulnrichment

Updated: 2025-11-21T21:48:04.618Z

NVD

Status : Deferred

Published: 2025-11-21T13:15:48.390

Modified: 2026-04-27T18:16:33.417

Link: CVE-2025-66073

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object