Vulnerabilities ›

CVE-2026-9009

High

CWE-434 — Weakness Type

                    Published: May 28, 2026                      ·  Modified: Jun 4, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.

🤖 AI Executive Summary

The Crawlomatic Multipage Scraper Post Generator WordPress plugin versions up to 2.7.2 contains a Remote Code Execution vulnerability in the filter_content function that allows authenticated attackers with author-level access to execute arbitrary code via unsanitized shortcode attributes. The vulnerability exploits unsafe use of call_user_func() with dangerous PHP built-ins like system and shell_exec without proper validation.

📄 Description (Arabic)

تحتوي إضافة Crawlomatic Multipage Scraper Post Generator لـ WordPress على ثغرة تنفيذ أوامر بعيدة في دالة filter_content حيث يتم تمرير سمات shortcode المزودة من قبل المهاجم مباشرة إلى call_user_func() دون تعقيم أو التحقق من القائمة البيضاء. يعتمد الفحص فقط على is_callable() الذي يسمح بدوال PHP خطيرة مثل system و shell_exec و exec و passthru و assert.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: Jun 2, 2026 06:36

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1059 T1548

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Immediately update the Crawlomatic Multipage Scraper Post Generator plugin to a patched version beyond 2.7.2. Restrict author-level access to trusted users only. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode usage. Monitor WordPress user accounts for unauthorized privilege escalation and audit recent post modifications.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Crawlomatic Multipage Scraper Post Generator فوراً إلى نسخة مصححة تتجاوز 2.7.2. قيد الوصول على مستوى المؤلف للمستخدمين الموثوقين فقط. طبق قواعد جدار الحماية لتطبيقات الويب لكشف وحجب استخدام Shortcode المريب. راقب حسابات مستخدمي WordPress للكشف عن تصعيد الامتيازات غير المصرح به وتدقيق التعديلات الأخيرة على المنشورات.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1 5.2 6.1

🔵 SAMA CSF

CC-6.1 CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.12.2.1 A.12.6.1 A.14.2.1

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/browser/crawlomatic-multipage-scraper-post-generator...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/7ff39b8f-ef87-4b1c-888e-00c95...

security@wordfence.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-434

EPSS0.24%

Exploit No

Patch ✗ No

Published 2026-05-28

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-434

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-9009

Introduce Yourself

Sign In Required