Critical Security Flaw Found in Popular WordPress Plugin Crawlomatic
A major security flaw has been identified in the widely used WordPress plugin Crawlomatic Multisite Scraper Post Generator, potentially putting thousands of websites at risk. Listed as CVE-2025-4389, the vulnerability enables unauthenticated attackers to upload malicious files, which could lead to remote code execution on vulnerable sites.
Crawlomatic, sold for $59 per license on the Envato CodeCanyon marketplace, is a well-known autoblogging plugin. It allows users to automatically scrape and republish content from various sources including forums, RSS feeds, weather data, and JavaScript-heavy websites. Its marketing promises to transform a site into a money-making tool.
The plugin's sales page highlights several quality assurance badges, claiming compliance with Envato’s WordPress standards and best practices. These claims are now under scrutiny following the discovery of this severe security issue.
Details of CVE-2025-4389
The root of the problem is a lack of file type validation in the crawlomatic_generate_featured_image() function. All plugin versions up to and including 2.6.8.1 are affected. This flaw allows attackers to upload any type of file, including harmful scripts, without needing to authenticate. Security firm Wordfence, which reported the flaw, confirmed that successful exploitation can result in full site compromise through remote code execution.
- Vulnerability Name: Unauthenticated Arbitrary File Upload
- Affected Versions: Up to 2.6.8.1
- Patched Version: 2.6.8.2
- CVSS Score: 9.8 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Disclosure Date: May 16, 2025
- Discovered by: Foxyyy
Why This Matters
This vulnerability is especially dangerous because it can be exploited easily. It requires no login credentials or user interaction and can be used to upload malicious files that grant attackers full control of the server. With a CVSS score of 9.8, this issue is categorized as critical.
Website administrators using Crawlomatic are strongly advised to update to version 2.6.8.2 immediately to mitigate this risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
