EUVD-2026-14000
GHSA-4r2x-xpjr-7cvv
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Description
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Analysis
The rexCrawler WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the search-pattern tester page that allows unauthenticated attackers to inject arbitrary web scripts via inadequately sanitized 'url' and 'regex' parameters. Affected versions are up to and including 1.0.15 (CPE: cpe:2.3:a:larsdrasmussen:rexcrawler:*:*:*:*:*:*:*:*), with exploitation requiring social engineering to trick administrators into clicking a malicious link. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running the search-pattern tester page in all and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today