Skip to main content

Wordpress Woocommerce Scraper Plugin Import Data From Any Site

2 CVEs product

Monthly

CVE-2025-69129 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.

File Upload WordPress Wordpress Woocommerce Scraper Plugin Import Data From Any Site
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-69131 HIGH This Week

Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.

Path Traversal WordPress Wordpress Woocommerce Scraper Plugin Import Data From Any Site
NVD
CVSS 3.1
7.5
EPSS
0.5%
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.

File Upload WordPress Wordpress Woocommerce Scraper Plugin Import Data From Any Site
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.

Path Traversal WordPress Wordpress Woocommerce Scraper Plugin Import Data From Any Site
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy