CVE-2025-8417

8.1 HIGH
Published: September 11, 2025 Modified: April 15, 2026
View on NVD

Description

The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L20
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L244
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L272
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/communication.php#L300
Source: security@wordfence.com
https://plugins.trac.wordpress.org/browser/intelligent-importer/tags/5.1.4/megaimporter.php#L57
Source: security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3eb3533c-e33c-41db-b9cf-e9d71a0a5588?source=cve
Source: security@wordfence.com

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.2%
48th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-94

Related CVEs

CVE-2026-6416 2.7
CVE-2026-6408 2.7
CVE-2026-6392 2.7
CVE-2026-6386 N/A
CVE-2026-5398 N/A