A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites.
The Crawlomatic plugin, sold on the Envato CodeCanyon marketplace for $59 per license, is a widely used autoblogging tool. It enables WordPress users to scrape and republish content from various sources such as forums, RSS feeds, weather statistics, and even JavaScript-based websites. It advertises the ability to turn a website into a “money-making machine.”
Prominently featured on its sales page are badges indicating it meets Envato’s “WordPress quality standards,” including being “Envato WP Requirements Compliant.” This suggests that the plugin supposedly follows strong security and coding practices—something now in serious question following the newly discovered Crawlomatic vulnerability.
Details of CVE-2025-4389
The core of the issue lies in a missing file type validation in the plugin’s crawlomatic_generate_featured_image() function. This flaw, present in all versions up to and including 2.6.8.1, allows attackers to upload arbitrary files—including potentially dangerous scripts—without any form of authentication.
According to Wordfence, the security firm that disclosed the issue, the vulnerability can lead to remote code execution, giving attackers full control over the affected website.
- Vulnerability Name: Unauthenticated Arbitrary File Upload
- Affected Versions: ≤ 2.6.8.1
- Patched Version: 2.6.8.2
- CVSS Score: 9.8 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Disclosure Date: May 16, 2025
- Researcher: Foxyyy
Why This Vulnerability Is Dangerous
The critical vulnerability in Crawlomatic can target unsuspecting victims due to the ease of exploitation. It requires no authentication or user interaction and allows for file uploads that can compromise the server entirely. A CVSS score of 9.8 places this issue in the “critical” range.
This is a textbook example of an unauthenticated arbitrary file upload flaw—one of the most dangerous types of vulnerabilities in web applications. With this level of access, attackers could deface websites, steal user data, or install persistent malware.
The plugin developer has responded by releasing a patched version—2.6.8.2—which addresses the issue by adding proper file type validation. Users of the plugin are strongly encouraged to update immediately to avoid potential compromise.
Those who have not yet updated are at high risk, as exploits could be automated and distributed widely, given the simplicity of the attack vector.
