{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/crawlomatic-multipage-scraper-post-generator-plugin--2.7.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9009"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Crawlomatic Multipage Scraper Post Generator plugin \u003c= 2.7.2"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-9009","rce","wordpress","plugin","crawlomatic"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to remote code execution (RCE) in versions up to and including 2.7.2. This vulnerability, identified as CVE-2026-9009, stems from the insecure handling of the \u0026lsquo;callback_raw\u0026rsquo; shortcode attribute within the \u003ccode\u003efilter_content\u003c/code\u003e function. Specifically, the plugin passes the attacker-supplied \u0026lsquo;callback_raw\u0026rsquo; attribute directly into the \u003ccode\u003ecall_user_func()\u003c/code\u003e function without adequate sanitization or allowlist validation. The vulnerability is only checked with the \u003ccode\u003eis_callable()\u003c/code\u003e function, which doesn\u0026rsquo;t prevent execution of dangerous PHP built-in functions like \u003ccode\u003esystem\u003c/code\u003e, \u003ccode\u003eshell_exec\u003c/code\u003e, \u003ccode\u003eexec\u003c/code\u003e, \u003ccode\u003epassthru\u003c/code\u003e, and \u003ccode\u003eassert\u003c/code\u003e. This allows authenticated attackers with author-level access or higher to execute arbitrary code on the underlying server. A similar vulnerability exists for the \u0026lsquo;callback\u0026rsquo; attribute, providing an alternate attack vector through the same shortcode.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with author-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious WordPress post or page containing the \u003ccode\u003ecrawlomatic\u003c/code\u003e shortcode.\u003c/li\u003e\n\u003cli\u003eThe shortcode includes the \u003ccode\u003ecallback_raw\u003c/code\u003e attribute set to a PHP function that executes arbitrary commands (e.g., \u003ccode\u003esystem\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted post or page is published or previewed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilter_content\u003c/code\u003e function within the Crawlomatic plugin processes the shortcode.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecallback_raw\u003c/code\u003e attribute value is passed to \u003ccode\u003ecall_user_func()\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe specified PHP function is executed, resulting in arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9009 allows attackers to execute arbitrary code on the WordPress server. This can lead to complete system compromise, including the ability to read sensitive data, modify files, install malware, and pivot to other systems on the network. Given the widespread use of WordPress, a successful attack could impact numerous websites and organizations relying on the Crawlomatic plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Crawlomatic Multipage Scraper Post Generator plugin to a version higher than 2.7.2 to patch CVE-2026-9009.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9009 Exploitation — Crawlomatic Shortcode RCE Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress posts and pages for suspicious use of the \u003ccode\u003ecrawlomatic\u003c/code\u003e shortcode with the \u003ccode\u003ecallback_raw\u003c/code\u003e attribute containing potentially dangerous PHP functions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit author-level privileges and prevent unauthorized users from publishing or modifying content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T06:17:33Z","date_published":"2026-05-28T06:17:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-crawlomatic-rce/","summary":"The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to remote code execution (RCE) via the 'callback_raw' shortcode attribute, allowing authenticated attackers with author-level access or higher to execute arbitrary code on the server.","title":"Crawlomatic Multipage Scraper Post Generator Plugin RCE (CVE-2026-9009)","url":"https://feed.craftedsignal.io/briefs/2026-05-crawlomatic-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Crawlomatic Multipage Scraper Post Generator Plugin \u003c= 2.7.2","version":"https://jsonfeed.org/version/1.1"}