What is the CVSS score of CVE-2025-66073?

CVE-2025-66073 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of WP Webhooks are affected by CVE-2025-66073?

CVE-2025-66073 affects WP Webhooks plugin versions through 3.3.8 and permits authenticated WordPress administrators to execute arbitrary code on the server through unsafe object deserialization,…

How to fix or mitigate CVE-2025-66073?

Within 24 hours: Identify all WordPress installations running WP Webhooks plugin and document current version numbers; audit administrator account access logs for suspicious activity. Within 7 days: Restrict WordPress admin role assignment to essential personnel only; consider temporary deactivation of WP Webhooks if not actively required for business operations. Within 30 days: Monitor vendor advisory channels for patch release to version 3.3.9 or later; test patch in non-production environment and deploy across all affected instances upon availability.

WP Webhooks CVE-2025-66073

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-11-21 audit@patchstack.com

Deserialization

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 24, 2026 - 00:19 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

Severity Changed

Apr 23, 2026 - 15:43 NVD

MEDIUM HIGH

CVSS changed

Apr 23, 2026 - 15:43 NVD

6.5 (MEDIUM) 7.2 (HIGH)

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

CVE Published

Nov 21, 2025 - 13:15 nvd

MEDIUM 6.5

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.

AnalysisAI

PHP object injection in WP Webhooks plugin versions through 3.3.8 allows authenticated administrators to execute arbitrary code through unsafe deserialization of untrusted data. Exploitation requires high-privilege WordPress admin access but achieves complete system compromise once triggered. EPSS score of 0.09% indicates low observed exploitation despite network-reachable attack vector, likely due to the elevated privilege requirement limiting real-world opportunities.

Technical ContextAI

This vulnerability exploits PHP's unserialize() function when processing untrusted input, a CWE-502 class flaw common in WordPress plugins handling webhook payloads or configuration data. When an attacker-controlled serialized string containing malicious object definitions is deserialized, PHP automatically invokes magic methods like __wakeup() or __destruct(), enabling arbitrary code execution through object injection gadget chains. WP Webhooks processes external data through webhook endpoints and configuration interfaces, creating multiple deserialization attack surfaces. The plugin's architecture allows high-privilege users to manipulate serialized data stores without proper validation, trusting administrator input despite WordPress's principle that admins may be compromised through session hijacking, credential stuffing, or supply chain attacks.

Affected ProductsAI

WordPress WP Webhooks plugin versions from earliest releases through 3.3.8 inclusive are confirmed vulnerable per Patchstack advisory. The vulnerability affects all WordPress installations running these plugin versions regardless of underlying PHP or WordPress core version, as the deserialization flaw exists in plugin code independent of the host environment. Vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability provides full technical details and confirmation of affected version range.

RemediationAI

Upgrade WP Webhooks to version 3.3.9 or later, which addresses the unsafe deserialization vulnerability through input validation and sanitization of serialized data. No workaround exists that fully eliminates risk while retaining plugin functionality. For environments unable to immediately patch, implement the following compensating controls with noted trade-offs: Restrict WordPress admin dashboard access to IP allowlists (reduces attack surface but breaks remote admin workflows), enforce multi-factor authentication for all admin accounts (mitigates credential compromise but adds user friction), disable the WP Webhooks plugin entirely until patching (eliminates risk but removes webhook functionality), and monitor WordPress admin audit logs for unexpected plugin configuration changes or webhook creation by unfamiliar accounts (detection-only control, does not prevent exploitation). Full advisory and patch information at https://patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability.

CVE-2025-66073 vulnerability details – vuln.today

Back

WP Webhooks CVE-2025-66073

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code