The WordPress plugin “Crawlomatic Multipage Scraper Put up Generator” was up to date on Friday to patch a vital vulnerability that would result in distant code execution (RCE).The flaw, tracked as CVE-2025-4369, has a CVSS rating of 9.8 and impacts all variations of Crawlomatic previous to model 2.6.8.2.Crawlomatic is a plugin by CodeRevolution that mechanically scrapes web sites for content material equivalent to climate forecasts, sports activities outcomes, job listings, information studies and extra to publish on the consumer’s WordPress web site.The plugin has greater than 1,100 gross sales on the Envato market with a median 4.83 buyer star ranking.The CVE-2025-4369 vulnerability, which was reported by Wordfence and found by a researcher known as Foxyyy, stems from a lacking file kind validation within the perform “crawlomatic_generate_feaured_image().”An attacker may exploit this susceptible perform to add any file kind with out authentication, doubtlessly resulting in RCE on the affected web site’s server.SC Media reached out to WordFence for extra data on how an attacker may add arbitrary recordsdata and didn’t obtain a response.Customers ought to guarantee their Crawlomatic plugin is up to date to model 2.6.8.2 to stop exploitation of CVE-2025-4369.A doubtlessly associated vulnerability in one other CodeRevolution WordPress plugin, “Echo RSS Feed Put up Generator,” tracked as CVE-2025-4391 was additionally patched on Friday in model 5.4.8.2. CVE-2025-4391 and likewise has a CVSS rating of 9.8.This flaw includes lacking file kind validation within the “echo_generate_feaured_image()” perform and will result in RCE. Echo RSS Feed Put up Generator has greater than 1,900 gross sales on the Envato market.In March 2025, CodeRevolution patched a lacking file validation in its “Aiomatic – Computerized AI Content material Author & Editor, GPT-3 & GPT-4, ChatGPT Chabot & AI Toolkit” WordPress plugin affecting the “aiomatic_generate_featured_image()” perform, tracked as CVE-2024-13882.Not like the opposite two vulnerabilities, CVE-2024-13882 solely allowed arbitrary file add by authenticated attackers with Contributor-level entry or above and had a excessive CVSS rating of 8.8.One other arbitrary file add flaw in a distinct plugin known as WP Final CSV Importer affected greater than 20,000 WordPress websites when it was reported final month. Tracked as CVE-2025-2008, this flaw might be exploited by authenticated attackers with Subscriber-level entry or increased.Vulnerabilities in WordPress plugins can facilitate widespread assault campaigns, such because the Balada Injector marketing campaign that impacted greater than 6,700 websites susceptible to a Popup Builder plugin cross-site scripting flaw between December 2023 and January 2024.
