Impact statement: Wordfence lists two unpatched vulnerabilities in WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite, also identified by the plugin slug wp_scraper. The higher-risk issue is CVE-2025-69129, an unauthenticated arbitrary file upload vulnerability with a CVSS 9.8 Critical score. Wordfence also lists CVE-2025-69131, an unauthenticated arbitrary file download issue with a CVSS 7.5 High score.
If this plugin is installed on a public WordPress or WooCommerce site, treat it as a remove-now maintenance item. Wordfence lists the issue as unpatched, and the public WordPress.org plugin API did not return a current plugin record for wp_scraper during this pass. A WAF can reduce risk temporarily, but it is not a substitute for removing an unpatched import/scraper plugin.
Who Is Affected
Check any WordPress site that has used a scraper, product import, content import, or WooCommerce import plugin named WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite or Import Data from Any Site. Wordfence identifies the affected plugin slug as wp_scraper.
| Issue | Affected software | Affected versions | Status |
|---|---|---|---|
| CVE-2025-69129 | WordPress & WooCommerce Scraper Plugin / wp_scraper | 1.0.7 and older | Unpatched in Wordfence’s June 18 report |
| CVE-2025-69131 | WordPress & WooCommerce Scraper Plugin / wp_scraper | 1.0.7 and older | Unpatched in Wordfence’s June 18 report |
What To Do Now
- Back up first. Take a file and database backup before changing the site, especially if the plugin was used for product imports.
- Deactivate and remove the plugin. If no fixed version is available from the vendor, do not leave the plugin installed while waiting for normal maintenance.
- Preserve business records. Export any import mapping notes, product-source records, or store operations notes you need before deleting the plugin, but do not keep untrusted plugin files active on the site.
- Review the site after removal. Check administrator users, recently changed files, media uploads, WooCommerce products, product images, checkout, and contact forms.
- Rotate credentials if exposure is plausible. If the plugin was active on a public site, rotate WordPress administrator passwords, hosting control-panel passwords, SFTP users, and connected API keys after the site is clean.
- Replace the workflow. For normal catalog work, use WooCommerce’s built-in CSV importer/exporter or a maintained import tool with a clear update history and support path.
If You Cannot Remove It Immediately
Temporary mitigation is only a bridge. Put the site behind a WAF or managed security service, restrict administrator access, increase backup frequency, and schedule removal as soon as possible. If the plugin is required for a one-time import, run that import on a staging copy, export the clean WooCommerce data, then remove the plugin before the public site goes live.
Do not treat virtual patching as a permanent fix for an unpatched file-handling issue. The durable fix is to remove the vulnerable plugin or replace it with a maintained import workflow.
Hosting And Agency Notes
Hosting providers and agencies should search managed WordPress accounts for old scraper/import plugins, especially WooCommerce stores that have been migrated from another platform or bulk-loaded from supplier feeds. Prioritize ecommerce sites, membership stores, wholesale stores, and sites that allow outside vendors or staff to manage product data.
For customer messaging, keep it plain: an unpatched WordPress/WooCommerce import plugin was listed by Wordfence with critical file-handling risk; the safest action is to back up the site, remove the plugin, verify the store, and replace the import workflow with a maintained tool.
Safe Verification Checklist
- Confirm the plugin is no longer active or installed.
- Open the homepage, product archive, several products, cart, checkout, account page, and any lead forms.
- Review administrator users and remove accounts that are no longer needed.
- Look for recently modified files that do not belong to WordPress core, the active theme, or maintained plugins.
- Scan the site with your normal malware/security tooling after plugin removal.
- Clear page cache, object cache, CDN cache, and PHP opcache where used.
Fix I.T. Phill Guidance
Because Wordfence lists the issues as unpatched, the safest recommendation is replacement rather than waiting. Keep a backup, remove the plugin, verify WooCommerce, and document the new import workflow so future product imports do not depend on abandoned or unclear code.
Sources
- Wordfence Intelligence Weekly WordPress Vulnerability Report, June 8-14, 2026
- Wordfence vulnerability record for CVE-2025-69129
- Wordfence vulnerability record for CVE-2025-69131
- CVE.org record for CVE-2025-69129
- CVE.org record for CVE-2025-69131
- WooCommerce product CSV importer/exporter documentation
