A WordPress plugin that mechanically posts content material scraped from different web sites has been found to include a crucial vulnerability that enables anybody to add malicious recordsdata to affected web sites. The severity of the vulnerability is rated at 9.8 on a scale of 1-10.
Crawlomatic Multisite Scraper Put up Generator Plugin for WordPress
The Crawlomatic WordPress plugin is offered by way of the Envato CodeCanyon retailer for $59 per license. It permits customers to crawl boards, climate statistics, articles from RSS feeds, and immediately scrape the content material from different web sites after which mechanically publish the content material on the person’s web site.
The plugin’s Envato CodeCanyon internet web page encompasses a banner that notes that the creator of the plugin has been acknowledged for having met “WordPress high quality requirements” and shows a badge indicating that it’s “Envato WP Necessities Compliant,” a sign that it meets Envato’s “safety, high quality, efficiency and coding requirements in WordPress plugins and themes.”
The plugin’s listing web page explains that it it will possibly crawl and scrape just about any web site, together with JavaScript-based websites, promising that it will possibly flip a person’s web site right into a “cash making machine.”
Unauthenticated Arbitrary File Add
The Crawlomatic WordPress plugin is lacking a filetype validation examine in all model previous to and together with model 2.6.8.1.
In accordance with a warning posted on Wordfence:
“The Crawlomatic Multipage Scraper Put up Generator plugin for WordPress is weak to arbitrary file uploads because of lacking file sort validation within the crawlomatic_generate_featured_image() operate in all variations as much as, and together with, 2.6.8.1. This makes it attainable for unauthenticated attackers to add arbitrary recordsdata on the affected web site’s server which can make distant code execution attainable.”
Customers of the plugin are really useful by Wordfence to replace to no less than model 2.6.8.2.
Learn extra at Wordfence:
Crawlomatic Multipage Scraper Put up Generator <= 2.6.8.1 – Unauthenticated Arbitrary File Add
Featured Picture by Shutterstock/nakaridore
