CVE-2026-9009
Received Received - Intake
Remote Code Execution in Crawlomatic Multipage Scraper Post Generator Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-9009
EUVD
EUVD-2026-32723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_crawlomatic crawlomatic_multipage_scraper_post_generator to 2.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution (RCE) in all versions up to and including 2.7.2. This vulnerability arises because the plugin passes an attacker-supplied 'callback_raw' shortcode attribute directly into the PHP function call_user_func() without proper sanitization or allowlist validation.

The plugin only checks if the callback is callable using is_callable(), which allows dangerous PHP built-in functions such as system, shell_exec, exec, passthru, and assert to be executed. This enables authenticated attackers with author-level access or higher to execute arbitrary code on the server. There is also a second independent vector through the 'callback' shortcode attribute that is affected in the same way.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows authenticated users with author-level permissions or higher to execute arbitrary code on the server hosting the WordPress site.

  • Attackers can run malicious commands or scripts, potentially leading to full server compromise.
  • Sensitive data stored on the server could be accessed, modified, or deleted.
  • The website could be defaced, used to distribute malware, or leveraged as a pivot point to attack other systems.
  • Availability of the website and services could be disrupted by attackers.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart