WordPress Crawlmomatic Authenticated RCE via call_user_func (CVE-2026-9009)

Vulnerability Overview Vulnerability Name: Crawlmomatic Multisite Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute CVE ID: CVE-2026-9009 CVSS Score: 8.8 (High) Publication Date: May 27, 2026 Last Updated: May 28, 2026 Researcher: Nguyen Ngoc Duc (duc193) Affected Scope Software Type: Plugin Software Name: Crawlmomatic Multisite Scraper Post Generator Affected Versions: <= 2.7.2 Fixed Version: 2.7.3 Remediation Recommendation: Update to version 2.7.3 or later. Additional Information Vulnerability Description: The plugin directly invokes in the function by passing an attacker-controlled 'callback_raw' shortcode attribute. There is no sanitization or whitelist validation, relying solely on an check, which permits dangerous PHP built-in functions such as , , , , and . This allows authenticated attackers with author-level access to execute code on the server. Reference Links: plugins.trac.wordpress.org Related Recent Vulnerabilities 1. Crawlmomatic Multisite Scraper Post Generator <= 2.6.8.2 - Missing Authorization - CVE ID: CVE-2025-49293 - CVSS Score: 4.3 - Researcher: Nguyễn Trung Kiên - Publication Date: June 5, 2025 2. Crawlmomatic Multisite Scraper Post Generator <= 2.6.8.2 - Unauthenticated Information Exposure via Log Files - CVE ID: CVE-2025-49294 - CVSS Score: 5.3 - Researcher: Nguyễn Trung Kiên - Publication Date: June 5, 2025 3. Crawlmomatic Multisite Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload - CVE ID: CVE-2025-4389 - CVSS Score: 9.8 - Researcher: Foxyyy - Publication Date: May 16, 2025 Summary This vulnerability allows authenticated attackers to execute arbitrary code on the server via the 'callback_raw' shortcode attribute. It is recommended to update to version 2.7.3 or later as soon as possible to remediate this issue.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Crawlmomatic Authenticated RCE via call_user_func (CVE-2026-9009)

More from this source