Introduction to the Vulnerability
A critical vulnerability has been discovered in a WordPress plugin that allows users to automatically post content scraped from other websites. The severity of this vulnerability is rated at 9.8 on a scale of 1-10, making it a significant threat to the security of websites that use this plugin.
What is the Crawlomatic Multisite Scraper Post Generator Plugin?
The Crawlomatic plugin is a WordPress plugin that enables users to crawl and scrape content from other websites, including forums, weather statistics, articles from RSS feeds, and more. This plugin is sold on the Envato CodeCanyon store for $59 per license and promises to turn a user’s website into a "money making machine." The plugin’s author has been recognized for meeting WordPress quality standards, and the plugin is listed as "Envato WP Requirements Compliant," indicating that it meets Envato’s security, quality, performance, and coding standards.
The Vulnerability Explained
The vulnerability in the Crawlomatic plugin is due to a missing filetype validation check in all versions prior to and including version 2.6.8.1. This means that an attacker can upload arbitrary files to a website using this plugin, potentially allowing for remote code execution. According to a warning posted on Wordfence, "The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1."
Impact and Recommendations
The impact of this vulnerability is significant, as it allows unauthenticated attackers to upload arbitrary files on the affected site’s server. This could potentially lead to remote code execution and other security issues. To protect themselves, users of the Crawlomatic plugin are recommended to update to at least version 2.6.8.2. It is essential for website owners to take this vulnerability seriously and update their plugin as soon as possible to prevent potential attacks.
Conclusion
The discovery of this critical vulnerability in the Crawlomatic plugin highlights the importance of keeping WordPress plugins up to date and ensuring that they meet security standards. Website owners who use this plugin must take immediate action to update to a secure version to prevent potential attacks. By doing so, they can protect their websites and prevent malicious actors from exploiting this vulnerability. It is crucial for website owners to stay informed about potential vulnerabilities in the plugins they use and take prompt action to address them.