CVE-2025-8417

Name of the Vulnerable Software and Affected Versions Catalog Importer, Scraper & Crawler plugin for WordPress versions through 5.1.4

Description The Catalog Importer, Scraper & Crawler plugin for WordPress is susceptible to PHP code injection due to reliance on a guessable numeric token (e.g., ?key= 900001705) without proper authentication, combined with the unsafe use of the eval() function on user-supplied input. This allows unauthenticated attackers to execute arbitrary PHP code on the server via a forged request if they can guess or brute-force the numeric key.

Recommendations Versions prior to 5.1.5 are affected. Update to a version later than 5.1.4.