Description
Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to upload arbitrary files through the WordPress & WooCommerce Scraper Plugin, Import Data from Any Site. The upload mechanism does not properly validate or restrict file types, enabling the placement of malicious scripts on the server. If the uploaded file is interpreted by the web application, an attacker could gain write access, execute code, or compromise the entire WordPress installation. The weakness is categorized as CWE‑434, indicating improper restriction of file upload/input validation.

Affected Systems

Any WordPress site running Extendons’ WordPress & WooCommerce Scraper Plugin, Import Data from Any Site version 1.0.7 or earlier is affected. The vulnerability is active until the plugin is upgraded beyond 1.0.7.

Risk and Exploitability

The CVSS score of 10 denotes critical severity, and the lack of an EPSS score means the current exploitation likelihood is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it via unauthenticated web requests to the plugin’s upload endpoint, requiring no special permissions. Once a file is uploaded, execution of that file can lead to complete compromise of the hosting environment.

Generated by OpenCVE AI on June 18, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version released after 1.0.7, or disable the plugin if an update is not available.
  • Apply a web application firewall rule or security plugin that blocks unrestricted file uploads to the plugin’s upload endpoint as a temporary safeguard.
  • Remove the plugin entirely and replace it with a vetted alternative that enforces strict file type validation and permission checks.

Generated by OpenCVE AI on June 18, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
Title WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:39:36.371Z

Reserved: 2025-12-29T11:19:37.128Z

Link: CVE-2025-69129

cve-icon Vulnrichment

Updated: 2026-06-17T12:39:32.962Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type