PT-2026-44190 · WordPress · Crawlomatic Multipage Scraper Post Generator
Published
2026-05-28
·
Updated
2026-05-29
·
CVE-2026-9009
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crawlomatic Multipage Scraper Post Generator versions prior to 2.7.3
Description
The plugin is subject to Remote Code Execution through the
filter content() function. The issue occurs because the callback raw and callback shortcode attributes are passed directly into call user func() without sanitization or allowlist validation. The system relies only on an is callable() check, which allows the use of dangerous PHP built-in functions such as system, shell exec, exec, passthru, and assert. Authenticated attackers with author-level access or higher can exploit this to execute arbitrary code on the server.Recommendations
Update to a version later than 2.7.2.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crawlomatic Multipage Scraper Post Generator