Description
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Crawlomatic Multipage Scraper Post Generator plugin contains a shortcode that accepts a 'callback_raw' attribute. The plugin passes this value directly to call_user_func without any sanitization or allowlist validation. This allows an authenticated user with author access or higher to specify PHP built‑in functions such as system, exec, shell_exec, passthru, or assert, which are then executed on the server. The result is a critical Remote Code Execution flaw classified as CWE‑434, providing full code execution capability on the hosting machine.

Affected Systems

All installations of the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, version 2.7.2 and earlier, distributed by CodeRevolution. The vulnerability resides in the filter_content method in class.crawlomatic.shortcode.php. No other product versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity vulnerability. EPSS data is not available and the flaw is not listed in CISA KEV. Exploitation requires the attacker to be an authenticated user with at least author privileges, after which they can embed a malicious shortcode that triggers code execution. An identical payload can be delivered via the 'callback' attribute, creating a second independent attack path. The attack vector is local through the WordPress administration interface, but once the payload is inserted it runs with the permissions of the web server, posing a severe threat.

Generated by OpenCVE AI on May 28, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deactivate or delete the plugin from the WordPress installation to prevent execution of the vulnerable shortcode.
  • Restrict the author role so that only trusted users can insert shortcodes; consider limiting shortcode use to the administrator role only.
  • Check the vendor's website or trusted security advisories for an official patch; if none is available, consider permanently removing the plugin.

Generated by OpenCVE AI on May 28, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
Title Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:36:35.093Z

Reserved: 2026-05-19T14:11:03.091Z

Link: CVE-2026-9009

cve-icon Vulnrichment

Updated: 2026-05-28T10:36:29.458Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T06:16:28.873

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-9009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:00:10Z

Weaknesses