CVE-2026-9009

Crawlomatic · Multipage Scraper Post Generator (WordPress Plugin)

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is susceptible to Remote Code Execution (RCE) due to improper input handling.

Executive summary

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress contains a critical Remote Code Execution vulnerability that could allow an attacker to gain full control of the affected site.

Vulnerability

This is a Remote Code Execution vulnerability. While authentication requirements are not explicitly defined, RCE flaws in WordPress plugins typically bypass standard access controls, allowing unauthenticated or low-privileged attackers to execute arbitrary code on the server.

Business impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying web server, potentially leading to full site compromise, data exfiltration, or the deployment of ransomware. Given the CVSS score of 8.8, this vulnerability poses a severe risk to the integrity and availability of the WordPress environment.

Remediation

Immediate Action: Check the WordPress plugin repository for the latest version and update the Crawlomatic plugin immediately. If a patch is unavailable, deactivate and remove the plugin until a secure version is released.

Proactive Monitoring: Review web server access logs for suspicious POST requests or attempts to execute system-level commands via the plugin’s directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common RCE payloads and suspicious execution patterns targeting WordPress plugins.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a critical threat due to the potential for complete system compromise. Administrators must prioritize updating or removing the vulnerable plugin immediately to eliminate the attack surface and prevent unauthorized code execution.