Critical Vulnerability Found in Crawlomatic WordPress Plugin

Crawlomatic WordPress Plugin Patched for Critical Security Flaw

The Crawlomatic Multisite Scraper Post Generator, a WordPress plugin sold on Envato's CodeCanyon marketplace, contained a serious security vulnerability. This flaw allowed unauthorized individuals to upload malicious files to websites using the plugin, potentially leading to remote code execution.

Vulnerability Details

The vulnerability, rated 9.8 out of 10 in severity, stemmed from a missing file type validation check. This oversight affected all versions of the Crawlomatic plugin up to and including 2.6.8.1.

Wordfence, a leading WordPress security firm, issued a warning detailing the vulnerability's impact:

“The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.”

Remediation and Updates

Wordfence strongly recommends users update to Crawlomatic version 2.6.8.2 or higher immediately to patch the vulnerability. This update addresses the file type validation issue and mitigates the risk of unauthorized file uploads.

The Crawlomatic plugin, which scrapes content from various sources including websites and RSS feeds, is marketed as a tool to help users automate content creation. While this functionality can be beneficial, this incident highlights the importance of regular plugin updates and robust security practices.

For more detailed information about the vulnerability, please visit Wordfence:

Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload