CVE-2025-62088
Lifecycle Timeline
2Description
Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site wp_scraper allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through <= 1.0.7.
Analysis
Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.
Technical Context
The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), which occurs when user-supplied input is used to construct HTTP requests without proper validation or filtering. The WordPress & WooCommerce Scraper Plugin (identified by CPE reference to the wp_scraper plugin) implements a web scraping feature that accepts URLs or site references as input. When the plugin's scraping function processes these inputs, it does not implement appropriate URL allowlisting, URL scheme restrictions, or internal IP range blacklisting. This allows attackers to craft malicious input that causes the server to make requests to unintended targets-such as localhost services (127.0.0.1, ::1), private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or cloud metadata services (169.254.169.254). The plugin's failure to validate the Referer, Host, or request origin compounds the risk, particularly if the WordPress installation has privileged access to internal systems or APIs.
Affected Products
The WordPress & WooCommerce Scraper Plugin, Import Data from Any Site (wp_scraper) is affected in all versions from inception through 1.0.7. The plugin is published on the WordPress Plugin Directory and can be identified by the slug 'wp_scraper' or product identifier 'wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin'. The vulnerability affects all WordPress installations that have this plugin installed and activated, regardless of WordPress core version or PHP version, as long as the plugin version is 1.0.7 or earlier. Additional vulnerability details and plugin metadata are available in the Patchstack database reference provided.
Remediation
Update the WordPress & WooCommerce Scraper Plugin (wp_scraper) to version 1.0.8 or later. Users should log in to their WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site', and click 'Update'. If automatic updates are enabled, the plugin will be patched automatically upon release. For WordPress sites with restricted plugin update permissions, administrators should manually download the patched version from the WordPress Plugin Directory (https://wordpress.org/plugins/wp_scraper/) and upload it via SFTP or the WordPress plugin uploader. As an interim mitigation prior to patching, site administrators can disable the plugin entirely if the scraping functionality is not actively in use, or restrict access to the plugin's admin pages using Web Application Firewall (WAF) rules or WordPress security plugins that filter requests containing suspicious URL parameters. Additional remediation guidance is available in the Patchstack vulnerability database entry.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today