Crawlomatic Multipage Scraper Post Generator
Approved changes feed: RSS · Atom
cpe:2.3:a:coderevolution:crawlomatic_multipage_scraper_post_generator:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Coderevolution (32b31726-d241-548e-8113-38e65f899083) |
|---|---|
| Product | Crawlomatic Multipage Scraper Post Generator (90c0ce60-ec1a-50fb-998c-d4c031c66993) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-9009 |
vulnerable | 2026-06-08 08:08:58.797110 |
Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute
HIGH (8.8)
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode.
Published: 2026-05-28T05:30:40.431Z
Updated: 2026-05-28T10:36:35.093Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-4389 |
vulnerable | 2026-06-08 07:29:16.193562 |
Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload
CRITICAL (9.8)
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-05-17T05:30:33.140Z
Updated: 2026-04-08T16:36:26.068Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.