CVE-2026-9009
Received Received - Intake
Remote Code Execution in Crawlomatic Multipage Scraper Post Generator Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9009
EUVD
EUVD-2026-32723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_crawlomatic crawlomatic_multipage_scraper_post_generator to 2.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution (RCE) in all versions up to and including 2.7.2. This vulnerability arises because the plugin passes an attacker-supplied 'callback_raw' shortcode attribute directly into the PHP function call_user_func() without proper sanitization or allowlist validation.

The plugin only checks if the callback is callable using is_callable(), which allows dangerous PHP built-in functions such as system, shell_exec, exec, passthru, and assert to be executed. This enables authenticated attackers with author-level access or higher to execute arbitrary code on the server. There is also a second independent vector through the 'callback' shortcode attribute that is affected in the same way.

Impact Analysis

This vulnerability can have severe impacts because it allows authenticated users with author-level permissions or higher to execute arbitrary code on the server hosting the WordPress site.

  • Attackers can run malicious commands or scripts, potentially leading to full server compromise.
  • Sensitive data stored on the server could be accessed, modified, or deleted.
  • The website could be defaced, used to distribute malware, or leveraged as a pivot point to attack other systems.
  • Availability of the website and services could be disrupted by attackers.
Mitigation Strategies

To mitigate this vulnerability, you should immediately update the Crawlomatic Multipage Scraper Post Generator plugin for WordPress to a version later than 2.7.2 where this issue is fixed.

Additionally, restrict author-level access and above to trusted users only, as the vulnerability requires authenticated users with author-level permissions.

Consider disabling or removing the vulnerable shortcode attributes 'callback_raw' and 'callback' if updating is not immediately possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart