CVE-2026-9009

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter content function. This is due to passing the attacker-supplied 'callback raw' shortcode attribute directly into call user func() with no sanitization or allowlist validation, relying solely on an is callable() check that permits dangerous PHP built-ins such as system, shell exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.