The WordPress plugin “Crawlomatic Multipage Scraper Post Generator” has been updated to fix a critical security vulnerability that could allow remote code execution (RCE). The flaw, identified as CVE-2025-4389 and assigned a CVSS score of 9.8, affects all versions of the plugin released before version 2.6.8.2.
Developed by CodeRevolution, Crawlomatic automates the scraping and publishing of online content such as weather updates, sports scores, job ads, and news stories onto WordPress sites. The plugin is available on the Envato marketplace, where it has over 1,100 sales and an average customer rating of 4.83 out of 5 stars.
The vulnerability was discovered by a researcher known as Foxyyy and disclosed by Wordfence. It stems from the absence of proper file type validation in the plugin function named “crawlomatic_generate_feaured_image().” This oversight allows unauthenticated users to upload arbitrary file types, which could be exploited to achieve remote code execution on the targeted website’s server.
SC Media reached out to Wordfence for more details on how arbitrary file uploads might be carried out, but no response was received.
To secure their websites, users are advised to update the Crawlomatic plugin to version 2.6.8.2 as soon as possible to prevent exploitation of this flaw.
On the same day, CodeRevolution also patched a similar vulnerability in another of its WordPress plugins, “Echo RSS Feed Post Generator.” Tracked as CVE-2025-4391 and also rated with a CVSS score of 9.8, the issue again involved missing file type validation in the function “echo_generate_feaured_image().” This plugin has been sold over 1,900 times on the Envato platform.
In March 2025, CodeRevolution addressed another security issue in its plugin “Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT Chabot & AI Toolkit.” This flaw, identified as CVE-2024-13882, was found in the “aiomatic_generate_featured_image()” function and involved improper file validation. Unlike the more recent flaws, it required authentication at the Contributor level or above to exploit and received a CVSS score of 8.8.
Another recent file upload vulnerability, CVE-2025-2008, was reported in the “WP Ultimate CSV Importer” plugin, which is used on over 20,000 WordPress websites. This flaw allowed authenticated users with at least Subscriber-level access to upload arbitrary files.
These vulnerabilities underscore the widespread impact that plugin flaws can have on the WordPress ecosystem. For example, the Balada Injector campaign took advantage of a cross-site scripting flaw in the Popup Builder plugin, compromising over 6,700 sites between December 2023 and January 2024.
Related Topics
- How to Create Website in Wordpress for Free
- How Do You Transfer a WordPress Website to a New Owner?
- How Can You Add a Form to a WordPress Page?
