The rexCrawler plugin contains a stored cross‑site scripting flaw in all released versions through 1.0.15. An attacker who is authenticated with administrator‑level permissions can place arbitrary JavaScript into an admin settings field because the input is neither sanitized nor escaped properly. When the setting value is later rendered on a page accessed by other users, the injected script executes in their browser, allowing the attacker to steal credentials, deface the site, or redirect traffic. This vulnerability is a classic example of CWE‑79 and is limited to WordPress multi‑site installations or sites that have disabled the unfiltered_html capability.

WordPress sites using the rexCrawler plugin at any version up to and including 1.0.15 are affected. The flaw only manifests on multi‑site installs or on single‑site installs where the unfiltered_html capability has been turned off. Exploitation requires that the attacker have administrator or higher privileges within the WordPress instance.

The CVSS score of 4.8 indicates moderate severity. The EPSS score is not available, but once the attacker gains legitimate administrator access—potentially via a compromised site owner—the stored script remains until the settings are manually cleared, providing persistent client‑side compromise. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known sophisticated exploits. The attack path requires only routine admin login, navigation to the rexCrawler settings, injection of malicious script, and subsequent visitation of the affected page by other users. Overall, this poses a moderate risk of cross‑site compromise for users of vulnerable WordPress deployments.