WP-Safety

WP Scraper Security & Risk Analysis

wordpress.org/plugins/wp-scraper

This Wordpress Scraper allows you to move a non-Wordpress website into a Wordpress site.

2K active installs v5.8.2 PHP 7.0+ WP 4.7+ Updated Nov 18, 2025
content-migrationcontent-scraperwebsite-copierwebsite-migrationwp-scraper
96
A · Safe
CVEs total3
Unpatched0
Last CVEOct 10, 2025
Plugin page Download
Safety Verdict

Is WP Scraper Safe to Use in 2026?

Generally Safe

Score 96/100

WP Scraper has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 10, 2025Updated 4mo ago
Risk Assessment

The wp-scraper plugin v5.8.2 demonstrates a mixed security posture. On the positive side, the static analysis shows excellent adherence to secure coding practices with 100% of SQL queries using prepared statements, all output being properly escaped, and no file operations or critical taint flows detected. The plugin also implements a reasonable number of nonce and capability checks. However, a significant concern arises from the presence of an unprotected AJAX handler, which represents a direct entry point into the plugin's functionality without any authorization validation. This, coupled with a history of 3 known medium severity vulnerabilities, including SSRF and Missing Authorization, suggests a past pattern of exploitable flaws. While no currently unpatched CVEs exist, the historical trend and the identified unprotected AJAX handler warrant caution. The overall risk is moderate, with the unprotected entry point being the most immediate technical concern, and the past vulnerabilities suggesting a potential for recurring issues in authorization or input validation.

Key Concerns

  • Unprotected AJAX handler
  • History of medium severity vulnerabilities
Vulnerabilities
3

WP Scraper Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-9975medium · 6.8Server-Side Request Forgery (SSRF)

WP Scraper <= 5.8.1 - Authenticated (Administrator+) Server-Side Request Forgery

Oct 10, 2025 Patched in 5.8.2 (41d)
CVE-2024-37208medium · 6.4Server-Side Request Forgery (SSRF)

WP Scraper <= 5.8 - Authenticated (Subscriber+) Server-Side Request Forgery

Jun 20, 2024 Patched in 5.8.1 (22d)
CVE-2024-3663medium · 4.3Missing Authorization

WP Scraper <= 5.7 - Missing Authorization to Arbitrary Page/Post Creation

May 21, 2024 Patched in 5.8 (10d)
Code Analysis
Analyzed Mar 16, 2026

WP Scraper Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
0
145 escaped
Nonce Checks
8
Capability Checks
5
File Operations
0
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

100% escaped145 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
wp_scraper_page (wp-scraper.php:187)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Scraper Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_wpsf_custom_fieldswp-scraper.php:1931
WordPress Hooks 4
actionadmin_menuwp-scraper.php:23
actionadmin_menuwp-scraper.php:24
actionadmin_enqueue_scriptswp-scraper.php:28
actionadmin_initwp-scraper.php:50
Maintenance & Trust

WP Scraper Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 18, 2025
PHP min version7.0
Downloads116K

Community Trust

Rating90/100
Number of ratings23
Active installs2K
Alternatives

WP Scraper Alternatives

Content Fetcher

Content Fetcher

content-fetcher

B
78

Fetch content from any website with simple shortcode

200 1 unpatched
Post/Page Import Export – Migrate Content with Custom Fields & Taxonomies

Post/Page Import Export – Migrate Content with Custom Fields & Taxonomies

postpage-import-export-with-custom-fields-taxonomies

A
98

Export and import WordPress posts & pages as JSON files with full support for custom fields, taxonomies, ACF fields, and featured images.

200 2 CVEs
JHMG Converter For Elementor to Divi

JHMG Converter For Elementor to Divi

jhmg-converter-for-elementor-to-divi

A
100

Convert and export your Elementor-built pages to Divi with precision and ease. Save hours of rebuilding work with this migration tool.

100 No CVEs
Magic Export & Import

Magic Export & Import

magic-export-import

A
100

The ultimate tool to migrate any content including posts, terms, users, comments, WooCommerce shop orders, menus and ACF Options pages.

100 No CVEs
RSSInjection

RSSInjection

rss-injection

A
85

Inject content into your RSS feed to entice people to subscribe or allow you to add a message so if the feed it aggregated onto another site it is at &hellip;

10 No CVEs
Developer Profile

WP Scraper Developer Profile

Rico Macchi

3 plugins · 6K total installs

78
trust score
Avg Security Score
85/100
Avg Patch Time
79 days
View full developer profile
Detection Fingerprints

How We Detect WP Scraper

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-scraper/images/Cube-m.jpg/wp-content/plugins/wp-scraper/images/WP-Scraper-Pro-Ad.jpg/wp-content/plugins/wp-scraper/images/Live-Scrape-Ad.jpg
Script Paths
/wp-content/plugins/wp-scraper/includes/simpledomselector.js/wp-content/plugins/wp-scraper/includes/wp-scraper-ingest.js
Version Parameters
wp-scraper/includes/simpledomselector.js?ver=wp-scraper/includes/wp-scraper-ingest.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpsf-form
Data Attributes
data-wpscf-url
JS Globals
wpsf_scrape
Shortcode Output
[wpscrape]
FAQ

Frequently Asked Questions about WP Scraper