.png)
5 days ago
1
The WordPress plugin “Crawlomatic Multipage Scraper Post Generator” was updated on Friday to patch a critical vulnerability that could lead to remote code execution (RCE).
The flaw, tracked as CVE-2025-4369, has a CVSS score of 9.8 and affects all versions of Crawlomatic prior to version 2.6.8.2.
Crawlomatic is a plugin by CodeRevolution that automatically scrapes websites for content such as weather forecasts, sports results, job listings, news reports and more to publish on the user’s WordPress site.
The plugin has more than 1,100 sales on the Envato marketplace with an average 4.83 customer star rating.
The CVE-2025-4369 vulnerability, which was reported by Wordfence and discovered by a researcher called Foxyyy, stems from a missing file type validation in the function “crawlomatic_generate_feaured_image().”
An attacker could exploit this vulnerable function to upload any file type without authentication, potentially leading to RCE on the affected site’s server.
SC Media reached out to WordFence for more information on how an attacker could upload arbitrary files and did not receive a response.
Users should ensure their Crawlomatic plugin is updated to version 2.6.8.2 to prevent exploitation of CVE-2025-4369.
A potentially related vulnerability in another CodeRevolution WordPress plugin, “Echo RSS Feed Post Generator,” tracked as CVE-2025-4391 was also patched on Friday in version 5.4.8.2. CVE-2025-4391 and also has a CVSS score of 9.8.
This flaw involves missing file type validation in the “echo_generate_feaured_image()” function and could lead to RCE. Echo RSS Feed Post Generator has more than 1,900 sales on the Envato marketplace.
In March 2025, CodeRevolution patched a missing file validation in its “Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT Chabot & AI Toolkit” WordPress plugin affecting the “aiomatic_generate_featured_image()” function, tracked as CVE-2024-13882.
Unlike the other two vulnerabilities, CVE-2024-13882 only allowed arbitrary file upload by authenticated attackers with Contributor-level access or above and had a high CVSS score of 8.8.
Another arbitrary file upload flaw in a different plugin called WP Ultimate CSV Importer affected more than 20,000 WordPress sites when it was reported last month. Tracked as CVE-2025-2008, this flaw could be exploited by authenticated attackers with Subscriber-level access or higher.
Vulnerabilities in WordPress plugins can facilitate widespread attack campaigns, such as the Balada Injector campaign that impacted more than 6,700 sites vulnerable to a Popup Builder plugin cross-site scripting flaw between December 2023 and January 2024.
