The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
The Crawlomatic Multipage Scraper Post Generator WordPress plugin versions up to 2.7.2 contains a Remote Code Execution vulnerability in the filter_content function that allows authenticated attackers with author-level access to execute arbitrary code via unsanitized shortcode attributes. The vulnerability exploits unsafe use of call_user_func() with dangerous PHP built-ins like system and shell_exec without proper validation.
تحتوي إضافة Crawlomatic Multipage Scraper Post Generator لـ WordPress على ثغرة تنفيذ أوامر بعيدة في دالة filter_content حيث يتم تمرير سمات shortcode المزودة من قبل المهاجم مباشرة إلى call_user_func() دون تعقيم أو التحقق من القائمة البيضاء. يعتمد الفحص فقط على is_callable() الذي يسمح بدوال PHP خطيرة مثل system و shell_exec و exec و passthru و assert.
The Crawlomatic Multipage Scraper Post Generator WordPress plugin versions up to 2.7.2 contains a Remote Code Execution vulnerability in the filter_content function that allows authenticated attackers with author-level access to execute arbitrary code via unsanitized shortcode attributes. The vulnerability exploits unsafe use of call_user_func() with dangerous PHP built-ins like system and shell_exec without proper validation.
Immediately update the Crawlomatic Multipage Scraper Post Generator plugin to a patched version beyond 2.7.2. Restrict author-level access to trusted users only. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode usage. Monitor WordPress user accounts for unauthorized privilege escalation and audit recent post modifications.
قم بتحديث إضافة Crawlomatic Multipage Scraper Post Generator فوراً إلى نسخة مصححة تتجاوز 2.7.2. قيد الوصول على مستوى المؤلف للمستخدمين الموثوقين فقط. طبق قواعد جدار الحماية لتطبيقات الويب لكشف وحجب استخدام Shortcode المريب. راقب حسابات مستخدمي WordPress للكشف عن تصعيد الامتيازات غير المصرح به وتدقيق التعديلات الأخيرة على المنشورات.