CVE-2025-8417
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-09-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | catalog_importer_scraper_and_crawler | 5.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8417 is a vulnerability in the Catalog Importer, Scraper & Crawler WordPress plugin (up to version 5.1.4) that allows unauthenticated attackers to execute arbitrary PHP code on the server. This happens because the plugin relies on a guessable numeric token for authentication and unsafely uses the eval() function on user-supplied input. Attackers can guess or brute-force this numeric key to send forged requests that execute malicious PHP code, leading to remote code execution. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your server, which can lead to full compromise of the affected WordPress site. Attackers could manipulate or steal data, install malware, deface the website, or use the server as a launchpad for further attacks. Because the vulnerability requires no authentication beyond guessing a numeric key, it poses a high risk even to sites without logged-in users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests to the vulnerable WordPress plugin that include a numeric key parameter (e.g., ?key=900001705) in the URL, which is used without proper authentication. You can search your web server logs for suspicious GET requests containing the 'key' parameter with numeric values targeting the plugin's endpoints. For example, using grep on Apache logs: `grep -E '\?key=[0-9]+' /var/log/apache2/access.log`. Additionally, look for unusual or unauthorized PHP code execution or modifications in the plugin files, especially megaimporter.php or fonctions.php. Network intrusion detection systems can be configured to alert on requests with suspicious query parameters targeting this plugin. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Catalog Importer, Scraper & Crawler WordPress plugin to a version later than 5.1.4 where this vulnerability is fixed. If an update is not available, restrict access to the plugin's endpoints by implementing authentication or IP whitelisting to prevent unauthenticated access. Disable or remove the plugin if it is not essential. Additionally, review and restrict permissions on files like fonctions.php to prevent unauthorized PHP code editing. Monitor and block suspicious requests that include the numeric key parameter to reduce the risk of exploitation. [1]