Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Arbitrary File Upload in Crawlomatic Multipage Scraper Post Generator

IdentifiersCVE-2025-4389CWE-434· Unrestricted Upload of File with…

CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress in all versions up to and including 2.6.8.1. The vulnerability is caused by missing file type validation in the crawlomatic_generate_featured_image() function. Because uploaded files are not properly restricted to safe types, an unauthenticated attacker can upload arbitrary files to the affected server. If the server stores the uploaded file in a web-accessible or executable location, this can be leveraged to achieve remote code execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated attacker to upload arbitrary files to the WordPress server. Depending on server configuration and file handling behavior, this may enable remote code execution, resulting in full compromise of the affected WordPress site, unauthorized modification of site content, deployment of web shells or malware, data theft, and potential pivoting to other resources accessible from the host.

Mitigation

If you can’t patch tonight, do this now.

If an updated version is not immediately available, disable or remove the Crawlomatic Multipage Scraper Post Generator plugin. Restrict unauthenticated access to any functionality that invokes crawlomatic_generate_featured_image(), harden web server execution policies to prevent script execution from upload directories, and monitor for unexpected file creation in WordPress media or plugin-related paths. Additional compensating controls include WAF rules for suspicious upload requests and file integrity monitoring on web-accessible directories.

Remediation

Patch, then assume compromise.

Update the Crawlomatic Multipage Scraper Post Generator plugin to a version newer than 2.6.8.1 if a vendor fix is available. The vulnerable code path in crawlomatic_generate_featured_image() should enforce strict server-side file type validation, verify MIME type and extension against an allowlist, reject executable or script-capable file formats, and ensure uploaded content is stored outside executable web paths where possible. Review the plugin and WordPress uploads directories for unauthorized files and remove any malicious uploads.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2025-4389MaturityPoCVerified exploit

This repository contains a Python proof-of-concept exploit for CVE-2025-4389, a critical vulnerability in the Crawlomatic Multipage Scraper Post Generator WordPress plugin (<=2.6.8.1). The exploit targets the plugin's admin-ajax.php endpoint, which is vulnerable to arbitrary file upload due to missing file type validation. The script reads a list of target hosts from 'list.txt', attempts to upload a crafted JSON settings file to each target, and then periodically checks if the payload was successfully executed by looking for a specific keyword in the target's homepage. Results are logged to 'waiting.txt' and 'result_interval.txt'. The repository consists of the main exploit script (CVE-2025-4389.py) and a README file with vulnerability details and usage instructions. The exploit is network-based and requires the target to be accessible over HTTP. No fake or destructive code is present; the script is a functional proof-of-concept for the described vulnerability.

YucaerinDisclosed May 26, 2025pythonnetwork
ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity16

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-4389
NVD
nvd.nist.gov/vuln/detail/CVE-2025-4389
MITRE CWE · CWE-434
Unrestricted Upload of File with Dangerous Type
codecanyon.net
codecanyon.net/item/crawlomatic-multisite-scraper-post-generator-plugin-for-wordpress/20476010
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/1283e839-8588-4a76-9c1e-61562526166d?source=cve