CVE Alert: CVE-2025-8417 – idiatech – Catalog Importer, Scraper & Crawler
CVE-2025-8417
The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
AI Summary Analysis
Risk verdict
High risk of unauthenticated remote code execution via the vulnerable plugin; exploitation is feasible over the network and could be automated.
Why this matters
Attackers can inject arbitrary PHP if they can hit the forged key parameter, enabling full server compromise, data access or defacement without user interaction. For sites handling catalog imports or public content, impact includes data integrity loss, credential exposure, and reputational damage, with potential regulatory implications for customer data.
Most likely attack path
Given network-accessible endpoints, an attacker needs no prior credentials; a guessable numeric key enables an eval-based code execution. The combination of unauthenticated access, code injection via eval, and high impact means successful exploitation could quickly establish persistence and broad host control within the WordPress hosting context.
Who is most exposed
Sites running self-hosted WordPress with this plugin enabled, especially those handling product catalogs or imports for public-facing storefronts, are at greatest risk. Environments with minimal patching or security hygiene are prime targets.
Detection ideas
- Unexpected HTTP requests containing a numeric key-like parameter to plugin endpoints.
- PHP errors or logs showing eval() usage with user-supplied input.
- New or modified PHP files under the plugin directory; suspicious file write activity.
- Web shells or unusual PHP processes or outbound connections post-request.
- Anomalous spikes in 500 errors or CPU during catalog import endpoints.
Mitigation and prioritisation
- Patch to a non-vulnerable release or remove the plugin if unused.
- Apply WAF rules to block suspicious key parameters and unauthenticated access to plugin endpoints.
- Harden PHP runtime; restrict eval and related functions; disable file writes by the plugin if feasible.
- Implement change-management: test patch in staging, verify site functionality, then rollout; ensure full site backups.
- Continuous monitoring of access logs for unauthenticated requests to the affected endpoints.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
