Skip to main content

Crawlomatic WordPress Plugin CVE-2026-9009

| EUVDEUVD-2026-32723 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-28 security@wordfence.com GHSA-2vg8-pw73-w368
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 06:30 vuln.today
CVE Published
May 28, 2026 - 06:16 nvd
HIGH 8.8

DescriptionCVE.org

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.

AnalysisAI

Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.

Technical ContextAI

The vulnerability lives in class.crawlomatic.shortcode.php within the filter_content handler of the Crawlomatic Multipage Scraper Post Generator WordPress plugin (cpe inferred: cpe:2.3:a:webgeniusz:crawlomatic_multipage_scraper_post_generator:*:*:*:*:*:wordpress). WordPress shortcodes accept author-supplied attributes that are normally passed through sanitization, but here the 'callback_raw' and 'callback' attribute values flow straight into PHP's call_user_func() with only an is_callable() gate. is_callable() returns true for any defined PHP function name - including command-execution primitives such as system, exec, shell_exec, passthru, and the bytecode-evaluating assert - so it functions as a near no-op. While the CWE is mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type), the actual root cause more closely resembles CWE-94 / CWE-95 (improper control of code generation / eval injection) or CWE-77 (command injection); the upload-style classification likely reflects the broader threat-intel taxonomy used by the reporter rather than the precise sink.

RemediationAI

No vendor-released patched version is identified in the supplied data - the references point only to the trunk source line and the Wordfence advisory, so administrators should monitor https://www.wordfence.com/threat-intel/vulnerabilities/id/7ff39b8f-ef87-4b1c-888e-00c9599c7b07 and the WordPress plugin page for an update beyond 2.7.2 and apply it as the primary fix. Until a patch ships, compensating controls include deactivating the Crawlomatic plugin entirely (eliminates the sink at the cost of losing scraping/post-generation features), revoking author-and-above roles from any untrusted users and auditing existing accounts for weak credentials, and adding a WAF or mu-plugin rule that strips or rejects shortcode attributes named 'callback' and 'callback_raw' on save_post / pre_kses (side effect: legitimate use of those attributes will break). Restricting unfiltered_html and disabling shortcode execution in user-submitted content via remove_shortcode('crawlomatic') in a must-use plugin is a narrower fallback that preserves admin functionality while blocking the vector.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-9009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy