Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
WordPress rexCrawler Plugin Allows Unauthenticated Script Injection
CVE-2026-2277
Summary
The WordPress rexCrawler plugin has a security flaw that allows attackers to inject malicious code into a website. This could happen if an administrator clicks on a link sent by an attacker, potentially compromising the website. To fix this, update the plugin to the latest version, which is available on the WordPress plugin repository.
Original title
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0....
Original description
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/rexcrawler/tags/1.0.15/admin_regex_te...
- https://plugins.trac.wordpress.org/browser/rexcrawler/tags/1.0.15/admin_regex_te...
- https://plugins.trac.wordpress.org/browser/rexcrawler/trunk/admin_regex_test.php...
- https://plugins.trac.wordpress.org/browser/rexcrawler/trunk/admin_regex_test.php...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2a17f466-bc4b-4668-8ff...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026