CVE-2026-2277 in rexCrawler Plugin
Summary
by MITRE • 03/21/2026
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The rexCrawler plugin for WordPress presents a significant security vulnerability classified as reflected cross-site scripting in versions up to and including 1.0.15. This vulnerability specifically targets the search-pattern tester page functionality where the 'url' and 'regex' parameters are improperly handled. The flaw stems from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly validate or encode user-supplied data before it is rendered in web pages. The vulnerability is particularly concerning because it affects multi-site WordPress installations and installations where the unfiltered_html capability has been disabled, creating a scenario where attackers can potentially exploit this weakness to execute malicious scripts in the context of an administrator's browser session.
The technical exploitation of this vulnerability requires an attacker to craft malicious input containing script code within the vulnerable 'url' and 'regex' parameters. When an administrator navigates to the affected search-pattern tester page with these malicious parameters, the script code gets reflected back in the page response and subsequently executed in the administrator's browser context. This creates a persistent threat vector that can be leveraged for session hijacking, credential theft, or further compromise of the WordPress installation. The vulnerability operates under the CWE-79 classification for cross-site scripting, specifically categorized as reflected XSS, where the malicious payload is reflected off the web server rather than being stored. The attack requires social engineering elements to trick administrators into clicking on malicious links, but once executed, the impact can be severe as the scripts run with the privileges of the targeted administrator.
The operational impact of this vulnerability extends beyond simple script execution, as it represents a critical threat to WordPress multi-site installations where administrative privileges are more concentrated. In environments where unfiltered_html has been disabled as a security measure, the vulnerability becomes even more significant because it provides an alternative attack path that bypasses the intended security controls. Attackers can potentially use this vulnerability to inject malicious scripts that could steal administrator cookies, perform unauthorized actions within the WordPress admin interface, or redirect users to malicious domains. The vulnerability affects the core functionality of the plugin's search-pattern tester feature, which is designed for legitimate administrative use but becomes a dangerous attack vector due to the lack of proper input validation. This vulnerability directly aligns with ATT&CK technique T1566.001 for social engineering through spearphishing, as it requires administrator interaction to be effective, making it particularly dangerous in environments where administrators frequently interact with plugin interfaces.
Mitigation strategies for this vulnerability should prioritize immediate patching of the rexCrawler plugin to version 1.0.16 or later, which contains the necessary input sanitization and output escaping fixes. Administrators should also implement additional security measures such as restricting access to plugin interfaces, implementing content security policies to prevent script execution, and monitoring for suspicious activity in the WordPress admin area. The vulnerability highlights the importance of proper input validation and output encoding practices, particularly in multi-site WordPress environments where the attack surface is expanded. Organizations should conduct security audits to identify other plugins with similar vulnerabilities and ensure that all WordPress installations maintain current versions with proper security hardening measures in place. The vulnerability serves as a reminder that even seemingly benign plugin features can become attack vectors when proper security practices are not implemented during development, emphasizing the need for comprehensive security testing and validation of all user-input handling mechanisms within web applications.