CVE-2025-8417
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-09-11

Assigner: Wordfence

Description
The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8417
EUVD
EUVD-2025-27664
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress catalog_importer_scraper_and_crawler 5.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-8417 is a vulnerability in the Catalog Importer, Scraper & Crawler WordPress plugin (up to version 5.1.4) that allows unauthenticated attackers to execute arbitrary PHP code on the server. This happens because the plugin relies on a guessable numeric token for authentication and unsafely uses the eval() function on user-supplied input. Attackers can guess or brute-force this numeric key to send forged requests that execute malicious PHP code, leading to remote code execution. [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on your server, which can lead to full compromise of the affected WordPress site. Attackers could manipulate or steal data, install malware, deface the website, or use the server as a launchpad for further attacks. Because the vulnerability requires no authentication beyond guessing a numeric key, it poses a high risk even to sites without logged-in users. [1]

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests to the vulnerable WordPress plugin that include a numeric key parameter (e.g., ?key=900001705) in the URL, which is used without proper authentication. You can search your web server logs for suspicious GET requests containing the 'key' parameter with numeric values targeting the plugin's endpoints. For example, using grep on Apache logs: `grep -E '\?key=[0-9]+' /var/log/apache2/access.log`. Additionally, look for unusual or unauthorized PHP code execution or modifications in the plugin files, especially megaimporter.php or fonctions.php. Network intrusion detection systems can be configured to alert on requests with suspicious query parameters targeting this plugin. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Catalog Importer, Scraper & Crawler WordPress plugin to a version later than 5.1.4 where this vulnerability is fixed. If an update is not available, restrict access to the plugin's endpoints by implementing authentication or IP whitelisting to prevent unauthenticated access. Disable or remove the plugin if it is not essential. Additionally, review and restrict permissions on files like fonctions.php to prevent unauthorized PHP code editing. Monitor and block suspicious requests that include the numeric key parameter to reduce the risk of exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart