CVE-2026-9009: WordPress Crawlomatic Plugin RCE Vulnerability

CVE-2026-9009 Overview

CVE-2026-9009 is a Remote Code Execution vulnerability in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress. The flaw affects all versions up to and including 2.7.2. The plugin's filter_content function passes the attacker-controlled callback_raw shortcode attribute directly into PHP's call_user_func() without sanitization or allowlist validation. The plugin relies solely on an is_callable() check, which permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. Authenticated attackers with author-level access or higher can execute arbitrary code on the server. A parallel sink in the callback attribute provides a second independent vector through the same shortcode.

Critical Impact

Authenticated authors can achieve full remote code execution on the underlying WordPress host, leading to site compromise and potential lateral movement.

Affected Products

• Crawlomatic Multipage Scraper Post Generator plugin for WordPress
• All versions up to and including 2.7.2
• WordPress sites permitting author-level accounts or higher

Discovery Timeline

• 2026-05-28 - CVE-2026-9009 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-9009

Vulnerability Analysis

The vulnerability resides in the plugin's shortcode handler within class.crawlomatic.shortcode.php. The filter_content function accepts user-supplied attributes from the shortcode invocation and forwards them into PHP callback dispatch primitives. Both the callback and callback_raw attributes feed call_user_func() directly. Because the only gate is an is_callable() check, any PHP function name resolvable in the current scope passes validation. Built-in command execution wrappers such as system, shell_exec, exec, passthru, and assert qualify as callables and execute the supplied argument string against the host operating system or PHP interpreter.

This weakness is classified under [CWE-434] in the CVE record, though the underlying behavior aligns with unsafe reflection and code injection patterns where untrusted input controls dynamic function invocation.

Root Cause

The root cause is the absence of an allowlist for permitted callbacks. is_callable() validates only that a function exists and is invocable. It does not restrict callbacks to a safe set of plugin-defined handlers. By accepting arbitrary function names through shortcode attributes, the plugin permits attacker-defined control flow inside a privileged PHP context.

Attack Vector

An authenticated user with author-level capabilities or higher creates or edits a post containing the Crawlomatic shortcode. The attacker sets callback_raw or callback to a dangerous PHP function and supplies an argument string. When the shortcode renders, call_user_func() invokes the chosen function with the attacker-controlled argument, executing operating system commands or arbitrary PHP under the web server account.

For exploitation specifics, see the WordPress Plugin Code Analysis and the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-9009

Indicators of Compromise

• Posts or post revisions containing Crawlomatic shortcodes with callback or callback_raw attributes referencing system, exec, shell_exec, passthru, assert, eval, or proc_open.
• Unexpected child processes spawned by the PHP-FPM or Apache worker process on the WordPress host.
• New or modified PHP files in wp-content/uploads/ or plugin directories outside the normal update cycle.
• Outbound network connections from the web server to unfamiliar hosts shortly after shortcode rendering.

Detection Strategies

• Search the wp_posts table for shortcode strings matching callback_raw= or callback= paired with built-in PHP function names.
• Monitor web server process trees for shells, interpreters, or download utilities launched as children of the PHP runtime.
• Audit WordPress user accounts with author role or above for recent privilege grants or unusual login activity.

Monitoring Recommendations

• Enable WordPress audit logging for post creation, post updates, and user role changes.
• Forward web server access and error logs to a central analytics platform and alert on POST requests to post.php followed by command execution events.
• Track file integrity on plugin directories and the WordPress uploads folder.

How to Mitigate CVE-2026-9009

Immediate Actions Required

• Deactivate the Crawlomatic Multipage Scraper Post Generator plugin until a patched release is installed.
• Audit all WordPress accounts with author-level capabilities or higher and remove unused or untrusted users.
• Review existing posts and drafts for malicious shortcode usage and purge any tampered content.
• Rotate WordPress administrator passwords and any credentials stored on the web host.

Patch Information

No vendor-supplied patch is referenced in the available advisory data. Site operators should monitor the Wordfence Vulnerability Report and the plugin's WordPress.org listing for an updated release beyond version 2.7.2.

Workarounds

• Restrict the author role so untrusted users cannot create or edit posts containing the Crawlomatic shortcode.
• Deploy a web application firewall rule that blocks shortcode payloads containing callback or callback_raw paired with sensitive PHP function names.
• Disable dangerous PHP functions globally by setting disable_functions in php.ini to include system, exec, shell_exec, passthru, proc_open, and assert where the application does not require them.

# Example php.ini hardening to neutralize the most common RCE sinks
disable_functions = system,exec,shell_exec,passthru,proc_open,popen,assert,pcntl_exec