Description
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-03-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Patch
AI Analysis

Impact

The vulnerability is a reflected XSS that allows attackers to inject scripts through the 'url' and 'regex' parameters on the admin_regex_test.php page in the rexCrawler plugin. This flaw affects WordPress multisite installations and those with unfiltered_html disabled, enabling execution of arbitrary scripts in admin pages after an administrator clicks a crafted link.

Affected Systems

The affected product is the rexCrawler WordPress plugin by larsdrasmussen, with all versions up to and including 1.0.15 impacted. Administrators should check whether their site runs any of these unstable releases and ensure they are on a supported version.

Risk and Exploitability

The CVSS base score is 6.1, indicating medium severity. No EPSS data is provided and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to prompt a legitimate administrator to access the vulnerable endpoint, typically through social engineering or phishing with a malicious link, after which the unsanitized parameters allow injection of malicious JavaScript.

Generated by OpenCVE AI on March 21, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the rexCrawler plugin to a version newer than 1.0.15.
  • If upgrading is not possible, restrict or remove access to the admin_regex_test.php page so that only trusted administrators can use it.
  • Regularly audit the site for other XSS‑related issues and ensure input sanitization and output escaping are correctly applied.

Generated by OpenCVE AI on March 21, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Larsdrasmussen
Larsdrasmussen rexcrawler
Wordpress
Wordpress wordpress
Vendors & Products Larsdrasmussen
Larsdrasmussen rexcrawler
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Larsdrasmussen Rexcrawler
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:26.833Z

Reserved: 2026-02-10T14:09:17.220Z

Link: CVE-2026-2277

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:48.591Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:57.803

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-2277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:27Z

Weaknesses