How is CVE-2026-9009 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the plugin processes shortcode attributes through standard HTTP requests. Authentication (required): Any low-privilege WordPress account at Author level or above is sufficient to trigger the vulnerable shortcode handler. Victim interaction (not-required): No victim interaction is needed; the attacker submits the malicious shortcode attribute directly without relying on another user's action. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, memory layout knowledge, or environmental prerequisite is required beyond having a valid account.

What is the impact of CVE-2026-9009?

Executes arbitrary operating system commands on the server hosting the WordPress installation, giving the attacker full control over that host process. Reads any file accessible to the web server user, including WordPress configuration files containing database credentials and secret keys. Writes or modifies files on the server, enabling backdoor installation or defacement of site content. Crashes or degrades the affected service by invoking destructive system commands, causing a denial of service for site visitors.

Back to search

HIGHCVE-2026-9009Published 2026-05-28Modified 2026-05-28CNA Wordfence

CVE-2026-9009: Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute

Q: What is CVE-2026-9009?

Remote code execution (RCE) via an unsanitized shortcode attribute affects the Crawlomatic Multipage Scraper Post Generator WordPress plugin in all versions up to and including 2.7.2. The vulnerability is reachable over the network by any authenticated user with at least Author-level access, requiring no victim interaction. Successful exploitation gives an attacker arbitrary command execution on the underlying server. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-9009 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment CodeRevolution ships an upstream fix. In the interim, compensating-control guidance is surfaced so teams can act without waiting for an upstream patch.

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Remote code execution (RCE) via an unsanitized shortcode attribute affects the Crawlomatic Multipage Scraper Post Generator WordPress plugin in all versions up to and including 2.7.2. The vulnerability is reachable over the network by any authenticated user with at least Author-level access, requiring no victim interaction. Successful exploitation gives an attacker arbitrary command execution on the underlying server. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Wordfence and NVD, within minutes of publication and matched against customer images and pipeline artifacts that include this plugin. Coverage extends to custom-built WordPress images that bundle the affected plugin directly.

Available

Triage

Matched findings are triaged with the CVSS v3.1 score of 8.8 (HIGH) and weighted against each customer environment's compliance policy to prioritize severity routing. Alerts are directed to the appropriate team inbox within each customer organization based on workload ownership and policy configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment CodeRevolution ships an upstream fix. In the interim, compensating-control guidance is surfaced so teams can act without waiting for an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the plugin processes shortcode attributes through standard HTTP requests.
AuthenticationRequired
Any low-privilege WordPress account at Author level or above is sufficient to trigger the vulnerable shortcode handler.
Victim interactionNot required
No victim interaction is needed; the attacker submits the malicious shortcode attribute directly without relying on another user's action.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout knowledge, or environmental prerequisite is required beyond having a valid account.

Blast Radius

Executes arbitrary operating system commands on the server hosting the WordPress installation, giving the attacker full control over that host process.
Reads any file accessible to the web server user, including WordPress configuration files containing database credentials and secret keys.
Writes or modifies files on the server, enabling backdoor installation or defacement of site content.
Crashes or degrades the affected service by invoking destructive system commands, causing a denial of service for site visitors.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9009, the platform monitors the Wordfence and NVD advisory feeds on every ingest cycle and will automatically surface a patched-image rebuild the moment CodeRevolution publishes a remediated version of Crawlomatic. While waiting for an upstream patch, customers can act on the following compensating controls surfaced in the HarborGuard finding detail: apply network-policy rules that restrict which internal principals can reach the WordPress service, enforce egress filtering on the container to block outbound shell-spawned connections, and consider disabling or removing the Crawlomatic plugin from the image until a fix is available. For customers with auto-remediation enabled, the rebuilt image, regression-test run, and a PR opened against affected workloads will be made available immediately upon upstream fix publication, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

CodeRevolution / Crawlomatic Multipage Scraper Post Generator
≤ 2.7.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References