PHP Code Injection in Catalog Importer, Scraper & Crawler Plugin for WordPress
CVE-2025-8417

8.1HIGH

Key Information:

Vendor: WordPress
Status: Catalog Importer, Scraper & Crawler
Vendor: CVE Published:; 11 September 2025

What is CVE-2025-8417?

The Catalog Importer, Scraper & Crawler plugin for WordPress is susceptible to a PHP code injection. This vulnerability arises from the reliance on a predictable numeric token without adequate authentication and the unsafe execution of user-supplied input via eval(). As a result, unauthenticated attackers can potentially execute arbitrary PHP code on the server by crafting a request that includes a correctly guessed or brute-forced numeric key. This poses a significant risk to the integrity and security of impacted WordPress sites.

Affected Version(s)

Catalog Importer, Scraper & Crawler * <= 5.1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/intelligent-im...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 11, 2025
Vulnerability Reserved
Jul 31, 2025

Credit

Alexander Chikaylo