CVE-2026-2280
Description
The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in rexCrawler plugin ≤1.0.15 allows admin-level attackers to inject scripts into admin pages, affecting multisite or unfiltered_html disabled installations.
Vulnerability
The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through its admin settings in all versions up to and including 1.0.15. The vulnerability exists because user-supplied input, such as group titles and descriptions, is echoed without proper output escaping in admin_main.php [1]. This affects multi-site installations and installations where the unfiltered_html capability has been disabled.
Exploitation
An authenticated attacker with administrator-level permissions can inject arbitrary web scripts by crafting malicious input in the plugin's admin settings (e.g., group creation or editing). The stored script executes whenever a user accesses the affected admin page. The attack is only exploitable on multi-site setups or environments where unfiltered_html is disabled.
Impact
Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the admin dashboard. This can lead to session hijacking, defacement, theft of sensitive data, or further privilege escalation within the WordPress installation.
Mitigation
As of the publication date (2026-05-27), no patched version has been released. Possible mitigations include restricting administrator access to trusted users, disabling the plugin on non-multi-site installations, or removing the plugin entirely. If the plugin is no longer maintained, a complete removal is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.15+ 1 more
- (no CPE)range: <=1.0.15
- (no CPE)range: <=1.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- plugins.trac.wordpress.org/browser/rexcrawler/tags/1.0.15/admin_main.phpnvd
- plugins.trac.wordpress.org/browser/rexcrawler/tags/1.0.15/admin_main.phpnvd
- plugins.trac.wordpress.org/browser/rexcrawler/trunk/admin_main.phpnvd
- plugins.trac.wordpress.org/browser/rexcrawler/trunk/admin_main.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9ec307de-600c-4fb2-b474-db9b674d4eadnvd
News mentions
0No linked articles in our index yet.