The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachments. As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution.
When a custom JWT secret is not defined in the plugin configuration, the plugin uses a built-in, hardcoded signing key (CWE-321). An attacker, knowing this key, can generate their own fully valid JWT token and authenticate as a user with elevated privileges. The copyreap_handle_image() function does not verify the types of downloaded and saved files, allowing an attacker to upload any file – such as a PHP script – as an attachment. Once the script is placed on the server, the attacker can invoke it and execute arbitrary code in the context of the web server.
An unauthenticated attacker can gain full control over the WordPress server by executing arbitrary server-side code (RCE), which may result in website compromise, data theft, or further lateral movement in the network.
The Copypress Rest API plugin must be immediately updated to a version higher than 1.2 or removed from the environment until a patch is available. Detailed information about available fixes should be checked in the vendor references (wordpress.org/plugins/copypress-rest-api) and in the Wordfence report.
Copypress Rest API plugin for WordPress in versions 1.1 and 1.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H