CVE-2026-9009: Crawlomatic Plugin RCE via Unsafe Callback Validation
A critical flaw in the Crawlomatic Multipage Scraper Post Generator WordPress plugin allows authenticated users with author-level permissions or higher to run arbitrary code on websites using affected versions. The vulnerability stems from a shortcode that accepts user input and passes it directly to PHP's call_user_func() function without proper validation, enabling attackers to invoke dangerous PHP commands like system() and shell_exec(). All versions up to and including 2.7.2 are vulnerable.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The filter_content function in Crawlomatic's shortcode handler fails to sanitize the 'callback_raw' and 'callback' attributes before passing them to call_user_func(). While the code performs an is_callable() check to verify the input references a valid PHP function, this check does not prevent invocation of dangerous built-in functions. PHP built-ins such as system, shell_exec, exec, passthru, and assert all return true for is_callable(), and when invoked through call_user_func() with attacker-controlled parameters, they enable arbitrary command execution on the server. The vulnerability affects both the 'callback_raw' and 'callback' shortcode attributes, creating two independent exploitation paths.
Business impact
Compromised WordPress sites running this plugin become fully controllable by attackers with author access, enabling data exfiltration, malware installation, lateral movement within hosting environments, and denial of service. For multi-tenant environments and shared hosting, the impact extends to neighboring sites and customer data. Reputational harm, regulatory liability (GDPR, PCI-DSS), and operational disruption are significant downstream consequences.
Affected systems
WordPress sites running the Crawlomatic Multipage Scraper Post Generator plugin in versions 2.7.2 and earlier are affected. The vulnerability requires authenticated access at the author level or above, limiting immediate risk to sites where the attacker already holds credentials or where such credentials have been compromised. Sites relying on this plugin for content generation workflows are at highest risk.
Exploitability
Exploitation requires valid WordPress authentication with author-level or higher privileges. This is a moderate barrier that eliminates opportunistic mass exploitation, but represents a significant insider threat and a critical risk vector for compromised user accounts. Once an attacker gains author credentials through credential theft, phishing, or account compromise, exploitation is straightforward and requires no advanced technical skill—a simple shortcode invocation suffices. The vulnerability is not known to be actively exploited in the wild, but the relative simplicity of weaponization makes future exploitation likely.
Remediation
Update the Crawlomatic plugin to a version that implements proper input validation and function whitelisting. Verify the latest patched version against the vendor's official advisory. As an interim measure, restrict author-level access to trusted users, implement role-based access controls, and disable the plugin if it is not actively in use. Consider temporarily disabling shortcode processing if alternative content strategies are available.
Patch guidance
Consult the Crawlomatic plugin vendor's official security advisory for the specific patched version that addresses this vulnerability. Verify the patch version number and release date before deployment. Apply updates through WordPress's plugin management dashboard or via manual deployment from the vendor. Test in a staging environment before production rollout to ensure compatibility with existing content and custom workflows.
Detection guidance
Monitor WordPress logs and server logs for shortcodes containing the 'callback_raw' or 'callback' attributes paired with dangerous PHP function names (system, shell_exec, exec, passthru, assert). Web Application Firewalls (WAF) can be configured to block POST requests containing these patterns in shortcode syntax. Review author-level user activity logs for suspicious shortcode creation or modification. Implement file integrity monitoring to detect unauthorized changes to plugin files or new webshell creation in uploads or plugin directories.
Why prioritize this
This vulnerability merits immediate attention despite its authentication requirement. CVSS 8.8 reflects the high severity of unauthenticated code execution impact, and the combination of two independent attack vectors increases risk surface. Organizations should prioritize patching within their maintenance windows, with highest urgency given to multi-tenant and publicly accessible sites. The straightforward exploitation path and widespread use of WordPress make this a preferred target for attackers with inside access.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with high integrity, confidentiality, and availability impact. The score accounts for the requirement of low-privilege authentication (PR:L) but does not require user interaction. The presence of two independent exploitation vectors and the nature of code execution as a consequence elevate this to the highest practical risk category. Organizations should treat this as a critical patch for exposed WordPress instances.
Frequently asked questions
Does this vulnerability affect my WordPress site if I don't use the Crawlomatic plugin?
No. This vulnerability is specific to the Crawlomatic Multipage Scraper Post Generator plugin. If your site does not have this plugin installed, you are not affected. Verify your installed plugins through WordPress admin or by checking the /wp-content/plugins/ directory.
What access level do attackers need to exploit this?
Attackers must have WordPress author-level credentials or higher (editor, admin). This excludes casual users and subscribers but includes any compromised user account with content creation permissions. This makes the vulnerability particularly dangerous in environments with loose credential hygiene or in supply chain scenarios where third-party services manage content.
Can I mitigate this without patching?
Temporarily disable the Crawlomatic plugin if it is not essential. If the plugin is active, restrict author-level access to a minimal set of trusted users, implement multi-factor authentication on high-privilege accounts, and monitor logs for suspicious shortcode activity. These measures reduce risk but do not eliminate it—patching is the definitive solution.
Is this vulnerability being exploited in the wild?
As of the publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no widespread active exploitation has been reported. However, the simplicity of exploitation and the prevalence of WordPress make weaponization highly likely if awareness spreads; do not delay patching based on current quiet status.
This analysis is provided for informational purposes and reflects the vulnerability information available as of the publication date. Patch version numbers and remediation guidance should be verified against the vendor's official security advisory before deployment. SEC.co does not guarantee the accuracy or completeness of third-party vendor statements. Organizations should conduct their own risk assessment and testing in controlled environments prior to applying patches to production systems. This vulnerability information does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-30761HIGHSourceBans Material Admin Arbitrary File Upload RCE Vulnerability
- CVE-2026-39292HIGHPHPPageBuilder Remote Code Execution via Unrestricted File Upload
- CVE-2026-9227HIGHGutenBee WordPress Plugin Arbitrary File Upload Remote Code Execution
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation