PT-2026-44190 · WordPress · Crawlomatic Multipage Scraper Post Generator

Published

2026-05-28

·

Updated

2026-05-29

·

CVE-2026-9009

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Crawlomatic Multipage Scraper Post Generator versions prior to 2.7.3
Description The plugin is subject to Remote Code Execution through the filter content() function. The issue occurs because the callback raw and callback shortcode attributes are passed directly into call user func() without sanitization or allowlist validation. The system relies only on an is callable() check, which allows the use of dangerous PHP built-in functions such as system, shell exec, exec, passthru, and assert. Authenticated attackers with author-level access or higher can exploit this to execute arbitrary code on the server.
Recommendations Update to a version later than 2.7.2.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9009

Affected Products

Crawlomatic Multipage Scraper Post Generator