Attention WordPress Users: Are You Using Crawlomatic? A recent security vulnerability has been exposed in a popular WordPress plugin designed for content scraping. This breach could potentially jeopardize the security of your website. With a staggering severity rating of **9.8 out of 10**, it’s imperative to take immediate action!
Crawlomatic Multisite Scraper Post Generator: A Double-Edged Sword
The Crawlomatic WordPress Plugin, available on the Envato CodeCanyon store for $59, has been a go-to tool for many website owners looking to enhance their online presence. This plugin empowers users to automatically crawl forums, gather weather statistics, and scrape articles from RSS feeds, providing a streamlined way to populate their sites with content. While it boasts impressive functionality, recent developments raise serious concerns.
The official Envato CodeCanyon page promotes Crawlomatic as a product that adheres to “WordPress quality standards,” boasting a badge that signifies compliance with Envato’s rigorous security, quality, performance, and coding standards. However, the recent discovery of a vulnerability raises eyebrows about these claims.
What Makes Crawlomatic Attractive?
This powerful plugin not only promises to scrape almost any website—including those built with JavaScript—but it also markets itself as a potential “money-making machine.” But is it worth the risk?
The Security Threat: Unauthenticated Arbitrary File Upload
At the core of this vulnerability is a missing **filetype validation check** in versions prior to 2.6.8.1 of the Crawlomatic plugin. This flaw allows unauthorized users to upload harmful files directly to the server of affected websites.
A Warning from Wordfence
Wordfence, a leading WordPress security plugin, has issued a clear warning:
“The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads, due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.”
This could spell disaster for unprepared website owners. Immediate action is crucial!
Take Action Now
Wordfence recommends that all users update to at least version 2.6.8.2 to safeguard their sites against potential attacks. Failure to do so could result in unauthorized access and abuse of your website. Don’t wait!
For further details, you can read the comprehensive report on this vulnerability at Wordfence: Crawlomatic Multipage Scraper Post Generator Vulnerability Details.
Stay informed and keep your WordPress sites secure. Remember, it’s better to prioritize safety over convenience!
Featured Image by Shutterstock/nakaridore
