PatchSiren cyber security CVE debrief
CVE-2026-9009 CodeRevolution CVE debrief
CVE-2026-9009 documents a Remote Code Execution vulnerability in the Crawlomatic Multipage Scraper Post Generator WordPress plugin, affecting all versions up to and including 2.7.2. The vulnerability was published on 2026-05-28 and modified later the same day. The root cause is insufficient validation of user-supplied input in the plugin's shortcode handler. Specifically, the `filter_content` function passes the `callback_raw` and `callback` shortcode attributes directly to `call_user_func()` after only an `is_callable()` check, without sanitization or an allowlist. This permits dangerous PHP built-in functions—including `system`, `shell_exec`, `exec`, `passthru`, and `assert`—to be invoked. The vulnerability requires authenticated access at author level or above, with a CVSS 3.1 score of 8.8 (High). The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), though the behavior more closely resembles unsafe dynamic code execution. The NVD entry currently carries a status of 'Deferred'. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- CodeRevolution
- Product
- Crawlomatic Multipage Scraper Post Generator
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using Crawlomatic Multipage Scraper Post Generator; security teams managing WordPress estates; hosting providers with shared WordPress environments; incident responders investigating compromised WordPress sites with unexpected plugin activity.
Technical summary
The Crawlomatic plugin registers a shortcode that accepts `callback_raw` and `callback` attributes. These values are passed to `call_user_func()` after an `is_callable()` check, which returns true for any valid PHP callable including dangerous built-ins. An authenticated attacker with author+ privileges can inject arbitrary function names to execute system commands. Two independent sinks exist for the same vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Crawlomatic Multipage Scraper Post Generator to version 2.7.3 or later if available; otherwise, disable and remove the plugin pending a security patch.
- Restrict WordPress user registrations and enforce principle of least privilege; remove author-level accounts where unnecessary.
- Implement Web Application Firewall rules to detect and block shortcode submissions containing PHP function names such as system, shell_exec, exec, passthru, and assert.
- Enable comprehensive WordPress audit logging to capture shortcode execution events and monitor for suspicious callback parameters.
- Review server access logs for historical requests containing callback_raw or callback parameters in POST data or query strings.
Evidence notes
Vulnerability description sourced from NVD record published 2026-05-28T06:16:28.873Z and modified 2026-05-28T13:45:25.260Z. Technical details of the vulnerable code path at line 273 of class.crawlomatic.shortcode.php are documented in the Wordfence advisory. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms network attack vector with low attack complexity and low privileges required.
Official resources
2026-05-28