{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8417", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-31T14:18:46.597Z", "datePublished": "2025-09-11T07:24:52.519Z", "dateUpdated": "2026-04-08T16:47:58.323Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:58.323Z"}, "affected": [{"vendor": "idiatech", "product": "Catalog Importer, Scraper & Crawler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key."}], "title": "Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb3533c-e33c-41db-b9cf-e9d71a0a5588?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/megaimporter.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L244"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L300"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "timeline": [{"time": "2025-09-10T18:49:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T14:06:13.106447Z", "id": "CVE-2025-8417", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:40:32.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8417", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-11T14:06:13.106447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:06:16.239Z"}}], "cna": {"title": "Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection", "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "idiatech", "product": "Catalog Importer, Scraper & Crawler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:49:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb3533c-e33c-41db-b9cf-e9d71a0a5588?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/megaimporter.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L244"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L300"}], "descriptions": [{"lang": "en", "value": "The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:58.323Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8417", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:58.323Z", "dateReserved": "2025-07-31T14:18:46.597Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:52.519Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key."}], "id": "CVE-2025-8417", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:33.680", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L244"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L300"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/megaimporter.php#L57"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb3533c-e33c-41db-b9cf-e9d71a0a5588?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:04:30.008433+00:00", "value": {"mitigation_remediation": ["Upgrade the Catalog Importer, Scraper & Crawler plugin to the latest version that removes the eval() vulnerability.\n", "If upgrading is not possible, block or restrict access to the plugin\u2019s communication endpoints (for example, using .htaccess or a web\u2011application firewall) so that only authenticated administrators can trigger the importer.\n", "As a temporary safeguard, edit the plugin files to delete or comment out the eval() calls that process user input, or replace them with safe code that does not execute arbitrary PHP.\n"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the idiatech Catalog Importer, Scraper & Crawler plugin in version\u00a05.1.4 or earlier are affected. These include all installations that have not applied a newer patch that removes the vulnerable eval() logic.", "description_and_impact": "The vulnerability arises from unsanitized use of eval() on user\u2011supplied input in the Catalog Importer, Scraper & Crawler plugin. By sending a request that includes arbitrary PHP code, an attacker can cause the plugin to execute that code on the WordPress host, effectively gaining full control over the server. The flaw is a PHP code injection described by CWE\u201194. Because the exploit does not require authentication and depends only on a guessable numeric token, it poses a high risk of code execution.", "risk_and_exploitability": "The CVSS score of\u00a08.1 indicates a high severity. The EPSS score of\u00a0<1% shows a low probability that this vulnerability is being actively exploited today. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request that targets the plugin\u2019s communication endpoints, where an attacker can guess or brute\u2011force the numeric key and supply PHP code to be executed. Once the key is known, remote exploitation is straightforward.\n"}}}}, "created": "2025-09-12T08:02:59.984584+00:00", "updated": "2026-04-21T03:15:16.327596+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}