diff --git a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
index f09548a892247b0ccbcdb30807f19b1f17ee7651..6c8011f753ce110a87c9a52ed5f61fcdf6c989b2 100644
--- a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+++ b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
@@ -23,3 +23,20 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:newcontent"
 
+# The ability to edit CSS triggers XSS rules when editing posts.
+# Disable all CRS rules on the wp-json API endpoint.
+SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
+    "id:1003,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:content"
+
+# Make the eventlist plugin work.
+SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
+    "id:1004,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=CRS,ARGS:/widget-event_list_widget.*/"
+