Primary

Context

Crawlomatic Multipage Scraper Post Generator Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, affecting all versions through 2.7.2. The issue arises in the filter_content function, where the 'callback_raw' shortcode attribute is passed directly to call_user_func() without proper sanitization or validation. This oversight allows authenticated attackers with author-level access or higher to execute arbitrary code on the server, as the is_callable() check permits the use of dangerous PHP functions like system, shell_exec, exec, passthru, and assert. Additionally, the 'callback' attribute presents a separate but similar vector for exploitation.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Remediation

Users are advised to update the Crawlomatic Multipage Scraper Post Generator plugin to version 2.7.3 or a newer patched version.

Added: May 28, 2026, 6:22 AM

Updated: May 28, 2026, 6:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

0.0

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

0.0

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Crawlomatic Multipage Scraper Post Generator Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Crawlomatic Multipage Scraper Post Generator

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating