Plateforme
wordpress
Composant
intelligent-importer
Corrigé dans
5.1.5
CVE-2025-8417 is a critical PHP code injection vulnerability discovered in the Catalog Importer, Scraper & Crawler plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The vulnerability affects versions from 0.0.0 up to and including 5.1.4. A patch is expected to be released by the plugin developers.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary PHP code on the WordPress server. This can lead to a wide range of malicious activities, including data theft, website defacement, malware installation, and complete server takeover. The lack of authentication requirements significantly lowers the barrier to entry for attackers, making this a high-priority risk. Attackers could potentially gain access to sensitive data stored on the server, including user credentials, database information, and configuration files. Lateral movement within the network is also possible if the server has access to other systems.
This vulnerability is considered high probability due to the ease of exploitation and the lack of authentication. Public proof-of-concept code is likely to emerge quickly. The vulnerability was publicly disclosed on 2025-09-11. It is recommended to monitor CISA and other security advisories for updates and potential KEV listing.
WordPress websites utilizing the Catalog Importer, Scraper & Crawler plugin, particularly those running versions 0.0.0 through 5.1.4, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited access controls and increased exposure to malicious actors.
• wordpress / composer / npm:
grep -r 'eval($_GET["key"]' /var/www/html/wp-content/plugins/catalog-importer-scraper-crawler/• generic web:
curl -I 'https://your-wordpress-site.com/?key=900001705' # Check for successful responsedisclosure
Statut de l'Exploit
EPSS
0.28% (percentile 52%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Catalog Importer, Scraper & Crawler plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin if it is not essential. As a temporary workaround, implement strict input validation and sanitization on any user-supplied data used within the plugin. Web application firewalls (WAFs) can be configured to block requests containing suspicious numeric tokens in the query string. Monitor WordPress access logs for unusual activity, particularly requests containing numeric keys in the URL. After upgrading, verify the fix by attempting to access the plugin's import functionality with a forged numeric key; the request should be denied.
Actualice el plugin Catalog Importer, Scraper & Crawler a la última versión disponible para mitigar la vulnerabilidad de inyección de código PHP. Verifique que la autenticación sea robusta y evite el uso de funciones inseguras como eval() con datos proporcionados por el usuario.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-8417 is a HIGH severity vulnerability in the WordPress Catalog Importer plugin allowing unauthenticated attackers to execute arbitrary PHP code due to insecure token handling.
Yes, if you are using the Catalog Importer, Scraper & Crawler plugin in WordPress versions 0.0.0 through 5.1.4, you are vulnerable.
Upgrade the Catalog Importer, Scraper & Crawler plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin if an upgrade is not immediately possible.
While active exploitation is not yet confirmed, the ease of exploitation suggests it is highly likely to be targeted soon after public disclosure.
Check the plugin developer's website and WordPress.org plugin page for updates and security advisories related to CVE-2025-8417.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.