Crawlomatic Multipage Scraper post generator allows unauthorized file uploads
Take action: If you are using Crawlomatic Multipage Scraper Post Generator, time to update it. Because we strongly suspect many people are not happy that you are scraping their content, and now someone may decide to get back at you. So patch quickly.
Learn More
A critical security vulnerability has been identified in the Crawlomatic Multipage Scraper Post Generator - a WordPress plugin that enables website owners to automatically post content scraped from other websites.
The plugin is marketed as a tool that can crawl and scrape content from virtually any website, including JavaScript-based sites, and automatically publish the content on the user's website. Its promotional materials claim it can turn websites into "money making machines."
The flaw is tracked as CVE-2025-4389 (CVSS score 9.8) - an "Unrestricted Upload of File with Dangerous Type" vulnerability. It is caused by a missing file type validation in the crawlomatic_generate_featured_image() function. Once an attacker successfully uploads malicious code, they could potentially execute it remotely, giving them unauthorized access to the website, its database, and potentially the entire server.
The vulnerability affects all versions of the plugin up to and including 2.6.8.1, with a patched version (2.6.8.2) now available.
Website owners and administrators using the Crawlomatic Multipage Scraper Post Generator plugin should immediately update to version 2.6.8.2 or newer.
