Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable WordPress plugin endpoint, no auth or interaction required, arbitrary file read yields high confidentiality impact with no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
AnalysisAI
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Technical ContextAI
The affected component is a WordPress plugin by Extendons that scrapes external sites to import product data into WordPress and WooCommerce stores. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., path traversal): a user-supplied file path parameter is concatenated into a filesystem read operation without canonicalization or whitelisting, so traversal sequences such as '../../../../wp-config.php' or absolute paths escape the intended download directory. The CPE 'cpe:2.3:a:extendons:wordpress_&_woocommerce_scraper_plugin,_import_data_from_any_site:*' confirms all versions are matched in the wildcard, and the EUVD entry constrains this to versions ≤ 1.0.7. Because WordPress plugins run inside the PHP process owned by the webserver user, the disclosure scope covers anything that user can read on disk.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory references only the vulnerable range ≤ 1.0.7 with no fixed version cited in the supplied data. Operators should immediately deactivate and remove the 'WordPress & WooCommerce Scraper Plugin' from production WordPress and WooCommerce sites until Extendons publishes a fixed release; track https://patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-arbitrary-file-download-vulnerability for an updated fix version. As compensating controls while the plugin is required, place a WAF rule (Patchstack, Wordfence, or ModSecurity) blocking requests to the plugin's wp-content/plugins/wp_scraper/ paths that contain '..', '%2e%2e', or absolute-path patterns - note this can break legitimate scraping workflows - and restrict file system permissions so the webserver user cannot read sensitive files outside wp-content (trade-off: may break other plugins that legitimately read wp-config.php). Rotate WordPress salts in wp-config.php, the database password, and any API keys stored in the WordPress filesystem on the assumption that wp-config.php has already been disclosed.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210203