Skip to main content

WordPress Scraper Plugin EUVDEUVD-2025-210203

| CVE-2025-69131 HIGH
Path Traversal (CWE-22)
2026-06-16 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint, no auth or interaction required, arbitrary file read yields high confidentiality impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:58 vuln.today
CVE Published
Jun 16, 2026 - 20:57 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.

AnalysisAI

Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.

Technical ContextAI

The affected component is a WordPress plugin by Extendons that scrapes external sites to import product data into WordPress and WooCommerce stores. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., path traversal): a user-supplied file path parameter is concatenated into a filesystem read operation without canonicalization or whitelisting, so traversal sequences such as '../../../../wp-config.php' or absolute paths escape the intended download directory. The CPE 'cpe:2.3:a:extendons:wordpress_&_woocommerce_scraper_plugin,_import_data_from_any_site:*' confirms all versions are matched in the wildcard, and the EUVD entry constrains this to versions ≤ 1.0.7. Because WordPress plugins run inside the PHP process owned by the webserver user, the disclosure scope covers anything that user can read on disk.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory references only the vulnerable range ≤ 1.0.7 with no fixed version cited in the supplied data. Operators should immediately deactivate and remove the 'WordPress & WooCommerce Scraper Plugin' from production WordPress and WooCommerce sites until Extendons publishes a fixed release; track https://patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-arbitrary-file-download-vulnerability for an updated fix version. As compensating controls while the plugin is required, place a WAF rule (Patchstack, Wordfence, or ModSecurity) blocking requests to the plugin's wp-content/plugins/wp_scraper/ paths that contain '..', '%2e%2e', or absolute-path patterns - note this can break legitimate scraping workflows - and restrict file system permissions so the webserver user cannot read sensitive files outside wp-content (trade-off: may break other plugins that legitimately read wp-config.php). Rotate WordPress salts in wp-config.php, the database password, and any API keys stored in the WordPress filesystem on the assumption that wp-config.php has already been disclosed.

Share

EUVD-2025-210203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy