CVE-2025-4389 - Vulnerability Details

- Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload

Description

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published: 2025-05-17

Score: 9.8 Critical

EPSS: 2.6% Low

KEV: No

Impact:

Action:

Analysis

Impact

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress suffers from a missing file type validation in the crawlomatic_generate_featured_image() function, a flaw classified as CWE-434, permitting any file to be uploaded via an unauthenticated request. This omission enables an attacker to place files such as PHP scripts on the server. The description states that this could permit remote code execution after upload, meaning the attacker could then navigate to the uploaded artifact to run arbitrary code.

Affected Systems

All versions of the plugin up to and including 2.6.8.1 are affected. The vendor is CodeRevolution, and the product is the Crawlomatic Multipage Scraper Post Generator for WordPress. No other vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity and the EPSS score of 2.565% indicates a moderate exploitation likelihood. The vulnerability is not present in CISA’s KEV catalog. Because the flaw allows unauthenticated uploads without file type checks, an attacker can exploit the endpoint, upload a malicious script, and then trigger execution through the web server, potentially compromising the entire WordPress site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CodeRevolution

Crawlomatic Multipage Scraper Post Generator

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.6.8.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Crawlomatic Multipage Scraper Post Generator plugin to a version where file type validation has been added.
If an upgrade is not immediately possible, restrict the plugin’s upload capabilities by configuring WordPress to allow only safe file types and preventing executable files from being stored in the uploads directory (e.g., by adjusting MIME type whitelisting).
If the plugin is not required, uninstall it to eliminate the vulnerability.
Implement explicit file type validation rules for uploads, following CWE‑434 best practices, to reject non‑image files and disallow executables.

Generated by OpenCVE AI on April 28, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-15567	The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02565.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://codecanyon.net/item/crawlomatic-multisite-scraper-post-generator-plugin-for-wordpress/20476010
https://www.wordfence.com/threat-intel/vulnerabilities/id/1283e839-8588-4a76-9c1e-61562526166d?source=cve

History

Mon, 19 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 17 May 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title		Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload
Weaknesses		CWE-434
References		https://codecanyon.net/item/crawlomatic-multisite-scraper-post-generator-plugin-for-wordpress/20476010 https://www.wordfence.com/threat-intel/vulnerabilities/id/1283e839-8588-4a76-9c1e-61562526166d?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-17T05:30:33.140Z

Updated: 2026-04-08T16:36:26.068Z

Reserved: 2025-05-06T19:26:11.492Z

Link: CVE-2025-4389

Vulnrichment

Updated: 2025-05-19T16:58:55.710Z

NVD

Status : Deferred

Published: 2025-05-17T06:15:18.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4389

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object