External risk intelligence

WordPress WooCommerce Scraper Plugin Arbitrary File Upload Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-69129

A critical vulnerability allows unauthenticated arbitrary file uploads in a WordPress and WooCommerce plugin, potentially leading to site compromise and malicious code execution. It is uncertain if this plugin is used within the organization, requiring confirmation to assess relevant risk.

Unrestricted File Upload

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability exists in a WordPress and WooCommerce plugin. WordPress sites and their associated plugins are frequently deployed as internet-facing web applications, making them directly reachable over the public internet in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a plugin used for WordPress and WooCommerce that allows data import from websites. This issue could potentially allow unauthorized access and modification of systems. The main concern is confirming if this plugin is in use within the organization to assess any potential exposure.

  • Unauthenticated file upload in a data import plugin.
  • Critical risk if the plugin is deployed.
  • Confirm plugin usage to assess relevant risk.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload arbitrary files to a WordPress site by leveraging a vulnerability in the WordPress & WooCommerce Scraper Plugin. This could allow an attacker to compromise the affected site.

  • No authentication required.
  • Uploading a malicious file.
  • Complete site compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in a WordPress and WooCommerce plugin could allow an unauthenticated attacker to upload arbitrary files to a website. This could lead to the execution of malicious code, potentially compromising the integrity and availability of the website and its services.

  • Website files and system access.
  • Unauthenticated arbitrary file upload.
  • Site compromise and malicious code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in an unauthenticated arbitrary file upload for a WordPress and WooCommerce scraper plugin requires immediate attention from teams managing the WordPress ecosystem. The first practical step is to identify all instances of this plugin across your environment, determine their exposure and criticality, and then assign ownership for remediation.

  • Assign ownership to platform or application teams.
  • Verify plugin installation and network exposure.
  • Plan vendor coordination and remediation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-69129 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated arbitrary file uploads, which can lead to a critical compromise and would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WordPress & WooCommerce Scraper Plugin?

This software is a WordPress extension designed to automate data collection. Users rely on it to import content from external websites directly into their WordPress or WooCommerce environments, streamlining the process of populating product catalogs or blog archives.

What does CWE-434 mean for CVE-2025-69129?

CWE-434 refers to Unrestricted Upload of File with Dangerous Type. In the context of this CVE, it means the plugin fails to properly validate the types of files being uploaded to the server. Because of this weakness, the plugin allows an attacker to upload files that could grant them control over the entire website.

How can an attacker trigger this file upload bug?

An attacker can exploit this by sending a specially crafted request to the site without needing any login credentials or administrative privileges. Note that this flaw is specifically tied to the plugin's file handling logic; it is not triggered by standard site navigation or interactions that do not involve the plugin's data import features.

Is my site at risk if I use this scraper plugin?

According to Halo Surface Signal, this plugin is frequently deployed on internet-facing web applications. Because these sites are directly reachable over the public internet, they are at a higher risk of being targeted by unauthorized users compared to internal systems that are shielded from public access.

What should I do if my site uses this plugin?

The priority is to locate all instances of the plugin within your infrastructure. Once identified, evaluate whether the plugin is essential for your operations. If it is, coordinate with your technical team to verify if a patch is available or prepare to deactivate the component to prevent potential unauthorized access.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished