CVE-2025-4389: Critical File Upload Vulnerability in Crawlomatic Plugin for WordPress

Overview

A critical vulnerability identified as CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, up to and including version 2.6.8.1. Discovered by Friderika Baranyai and disclosed on May 16, 2025, this flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE).

Technical Details

The vulnerability resides in the crawlomatic_generate_featured_image() function, which lacks proper file type validation. As a result, attackers can upload malicious files directly to the affected server without any authentication. This violates best practices in secure coding, particularly around file handling and input validation.

This issue is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, which involves failure to restrict uploads to safe file types, opening the door for execution of hostile code on the server.

CVSS Score and Impact

The vulnerability has been rated CRITICAL with a CVSS v3.1 base score of 9.8. The vector string is:

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Key characteristics of this score include:

• Exploitable remotely over a network (AV:N)
• Low attack complexity (AC:L)
• No privileges or user interaction required (PR:N, UI:N)
• High impact on confidentiality, integrity, and availability (C:H, I:H, A:H)

Impacted Versions

All versions of the plugin up to and including 2.6.8.1 are affected. Users running these versions are highly encouraged to update or disable the plugin immediately.

Mitigation and Recommendations

Users should consult the plugin vendor for updates or security patches. In the absence of an immediate patch, disabling the plugin is advised. For reference and further reading, see:

• Wordfence CVE Report
• Plugin Marketplace Listing

CISA’s SSVC analysis identifies the vulnerability as automatable with a total technical impact, further underlining the urgency of remediation efforts.

Conclusion

CVE-2025-4389 is a severe security risk for WordPress sites using the Crawlomatic plugin. The ability for unauthenticated users to upload files with no validation represents a significant attack vector. Site administrators must act swiftly to mitigate this threat.