Description
Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness is located in the WordPress & WooCommerce Scraper Plugin, Import Data from Any Site and is caused by a lack of validation when an HTTP request parameter is used to build a file path. An attacker can supply an arbitrary path and the plugin will return the contents of that file to the requester, allowing download of any file that the web server process can read. The impact is the disclosure of file contents; the vulnerability does not modify or delete data. The possibility of exposing configuration files, credentials, or other sensitive data is inferred from the general ability to retrieve arbitrary files, but the CVE description does not explicitly state which files are vulnerable.

Affected Systems

WordPress sites that have the extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site installed with a version of 1.0.7 or earlier are affected. No other products or versions are specifically cited as impacted.

Risk and Exploitability

The CVSS v3.1 base score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, an attacker can send a direct HTTP request that includes a file path parameter to the plugin endpoint; the server will respond with the requested file contents. This path traversal can expose sensitive files on the server, which may lead to disclosure of confidential information (inferred).

Generated by OpenCVE AI on June 17, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the extendons WordPress & WooCommerce Scraper Plugin to an available patch or newer version that addresses the path traversal flaw.
  • If a patch is not available, permanently disable or remove the plugin to eliminate the attack vector.
  • Configure file system permissions and/or use .htaccess rules to deny read access to directories outside the public web root, and consider adding a web application firewall rule to block requests that attempt path traversal patterns targeting the plugin endpoint.

Generated by OpenCVE AI on June 17, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Extendons
Extendons wordpress & Woocommerce Scraper Plugin, Import Data From Any Site
Wordpress
Wordpress wordpress
Vendors & Products Extendons
Extendons wordpress & Woocommerce Scraper Plugin, Import Data From Any Site
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
Title WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Extendons Wordpress & Woocommerce Scraper Plugin, Import Data From Any Site
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:49:54.051Z

Reserved: 2025-12-29T11:19:37.128Z

Link: CVE-2025-69131

cve-icon Vulnrichment

Updated: 2026-06-17T10:49:48.397Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')