Remote Code Execution Vulnerability in Crawlomatic Multipage Scraper Post Generator for WordPress
CVE-2026-9009

8.8HIGH

Key Information:

Vendor: WordPress
Status: Crawlomatic Multipage Scraper Post Generator
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-9009?

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress presents a significant security risk due to its vulnerability to Remote Code Execution. This issue arises from improper handling of attacker-supplied input in the 'callback_raw' shortcode attribute, which is directly passed to the call_user_func() function without adequate sanitization. By exploiting this flaw, authenticated users with author-level access can execute arbitrary PHP code on the server. An additional attack vector also exists via the 'callback' attribute, amplifying the risk. This vulnerability underscores the importance of robust input validation and sanitization in plugin development.

Affected Version(s)

Crawlomatic Multipage Scraper Post Generator 0 <= 2.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/crawlomatic-mu...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 19, 2026

Credit

Nguyen Ngoc Duc

CVE-2026-9009 Data

JSON