Wordpress Woocommerce Scraper Plugin Import Data From Any Site
Monthly
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.