Platform
wordpress
Component
intelligent-importer
Fixed in
5.1.5
CVE-2025-8417 is a critical PHP code injection vulnerability discovered in the Catalog Importer, Scraper & Crawler plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The vulnerability affects versions from 0.0.0 up to and including 5.1.4. A patch is expected to be released by the plugin developers.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary PHP code on the WordPress server. This can lead to a wide range of malicious activities, including data theft, website defacement, malware installation, and complete server takeover. The lack of authentication requirements significantly lowers the barrier to entry for attackers, making this a high-priority risk. Attackers could potentially gain access to sensitive data stored on the server, including user credentials, database information, and configuration files. Lateral movement within the network is also possible if the server has access to other systems.
This vulnerability is considered high probability due to the ease of exploitation and the lack of authentication. Public proof-of-concept code is likely to emerge quickly. The vulnerability was publicly disclosed on 2025-09-11. It is recommended to monitor CISA and other security advisories for updates and potential KEV listing.
Exploit Status
EPSS
0.28% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Catalog Importer, Scraper & Crawler plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin if it is not essential. As a temporary workaround, implement strict input validation and sanitization on any user-supplied data used within the plugin. Web application firewalls (WAFs) can be configured to block requests containing suspicious numeric tokens in the query string. Monitor WordPress access logs for unusual activity, particularly requests containing numeric keys in the URL. After upgrading, verify the fix by attempting to access the plugin's import functionality with a forged numeric key; the request should be denied.
Actualice el plugin Catalog Importer, Scraper & Crawler a la última versión disponible para mitigar la vulnerabilidad de inyección de código PHP. Verifique que la autenticación sea robusta y evite el uso de funciones inseguras como eval() con datos proporcionados por el usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8417 is a HIGH severity vulnerability in the WordPress Catalog Importer plugin allowing unauthenticated attackers to execute arbitrary PHP code due to insecure token handling.
Yes, if you are using the Catalog Importer, Scraper & Crawler plugin in WordPress versions 0.0.0 through 5.1.4, you are vulnerable.
Upgrade the Catalog Importer, Scraper & Crawler plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin if an upgrade is not immediately possible.
While active exploitation is not yet confirmed, the ease of exploitation suggests it is highly likely to be targeted soon after public disclosure.
Check the plugin developer's website and WordPress.org plugin page for updates and security advisories related to CVE-2025-8417.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.