Description
The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
Published: 2025-09-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from unsanitized use of eval() on user‑supplied input in the Catalog Importer, Scraper & Crawler plugin. By sending a request that includes arbitrary PHP code, an attacker can cause the plugin to execute that code on the WordPress host, effectively gaining full control over the server. The flaw is a PHP code injection described by CWE‑94. Because the exploit does not require authentication and depends only on a guessable numeric token, it poses a high risk of code execution.

Affected Systems

WordPress sites running the idiatech Catalog Importer, Scraper & Crawler plugin in version 5.1.4 or earlier are affected. These include all installations that have not applied a newer patch that removes the vulnerable eval() logic.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of <1% shows a low probability that this vulnerability is being actively exploited today. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request that targets the plugin’s communication endpoints, where an attacker can guess or brute‑force the numeric key and supply PHP code to be executed. Once the key is known, remote exploitation is straightforward.

Generated by OpenCVE AI on April 21, 2026 at 03:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Catalog Importer, Scraper & Crawler plugin to the latest version that removes the eval() vulnerability.
  • If upgrading is not possible, block or restrict access to the plugin’s communication endpoints (for example, using .htaccess or a web‑application firewall) so that only authenticated administrators can trigger the importer.
  • As a temporary safeguard, edit the plugin files to delete or comment out the eval() calls that process user input, or replace them with safe code that does not execute arbitrary PHP.

Generated by OpenCVE AI on April 21, 2026 at 03:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27664 The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
History

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
Title Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:58.323Z

Reserved: 2025-07-31T14:18:46.597Z

Link: CVE-2025-8417

cve-icon Vulnrichment

Updated: 2025-09-11T14:06:16.239Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:33.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses