Skip to main content

WordPress WooCommerce Scraper CVE-2025-69129

| EUVDEUVD-2025-210228 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Unauthenticated network-reachable arbitrary file upload yielding webshell RCE that breaches the WordPress security authority and compromises the host, justifying PR:N, AC:L, S:C and full C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:42 vuln.today
CVE Published
Jun 17, 2026 - 09:50 cve.org
CRITICAL 10.0

DescriptionCVE.org

Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.

AnalysisAI

Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.

Technical ContextAI

The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw in which upload handlers fail to validate or restrict file extensions, MIME types, or destination paths. The affected component is a WordPress plugin distributed by Extendons (CPE: cpe:2.3:a:extendons:wordpress_&_woocommerce_scraper_plugin,_import_data_from_any_site) whose purpose is to scrape and import product data from arbitrary remote sites into WooCommerce. Because the upload endpoint is exposed without authentication, the typical WordPress upload-validation pipeline (capability checks via current_user_can, nonce verification, and wp_check_filetype_and_ext) is either bypassed or not invoked, allowing an attacker-supplied file to land inside the web-served directory tree where PHP can be executed by the server.

RemediationAI

Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed from the provided data, so administrators should upgrade to any Extendons-issued release strictly greater than 1.0.7 as soon as the vendor publishes one and consult https://patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-arbitrary-file-upload-vulnerability for the canonical fix reference. Until a verified fixed build is installed, the highest-confidence mitigation is to deactivate and remove the plugin from WordPress, which fully closes the attack surface at the cost of losing the scraping/import functionality; if removal is not feasible, deny public access to the plugin's upload endpoint under /wp-content/plugins/wp_scraper/ via the web server or a WAF rule (Patchstack/Wordfence virtual patch), accepting that legitimate admin imports will also be blocked. As a hardening step, disable PHP execution inside wp-content/uploads via an .htaccess or nginx location rule so any file that does land cannot be executed, and audit uploads, web logs, and active themes/plugins for unfamiliar PHP files written on or after the plugin's installation date.

Share

CVE-2025-69129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy