CVE-2025-4389

Name of the Vulnerable Software and Affected Versions: Crawlomatic Multipage Scraper Post Generator plugin for WordPress versions up to, and including, 2.6.8.1

Description: The issue is related to arbitrary file uploads due to missing file type validation in the crawlomatic generate featured image() function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. Thousands of WordPress sites are at risk due to this critical vulnerability.

Recommendations: For versions up to, and including, 2.6.8.1, consider disabling the crawlomatic generate featured image() function until a patch is available to prevent arbitrary file uploads. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.