WordPress Plugin Vulnerabilities

Crawlomatic Multisite Scraper Post Generator < 2.6.9 - Missing Authorization

Description

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
crawlomatic-multipage-scraper-post-generator
Fixed in 2.6.9

References

CVE
CVE-2025-49293
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1e93ce8c-5489-48e9-85a1-00ef897d0d74

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyễn Trung Kiên
Verified
No
WPVDB ID
e677832b-aa5e-4b93-8845-4f2f31db6d45

Timeline

Publicly Published
2025-06-05 (about 9 months ago)
Added
2025-06-12 (about 9 months ago)
Last Updated
2025-06-12 (about 9 months ago)

Other

Published
Title
Published
2025-01-14
Title
VOD Infomaniak < 1.5.10 - Missing Authorization
Published
2025-09-22
Title
Text To Speech TTS Accessibility < 1.9.31 - Missing Authorization
Published
2026-01-19
Title
PostX < 5.0.4 - Missing Authorization
Published
2025-01-21
Title
WP Hotel Booking < 2.1.7 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Published
2024-06-06
Title
WooCommerce Dropshipping <= 5.1.2 - Unauthenticated Arbitrary Email Send