Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15363 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "json-content-importer" versions before 2.0.10.'}, {'type': 'paragraph', 'content': 'The plugin executes imported JSON data without proper sanitization, which allows users with a Contributor role or higher to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'This vulnerability is exploitable particularly when the PHP mbstring extension is not installed on the server.'}, {'type': 'paragraph', 'content': 'An attacker can host a malicious JSON file containing script tags in fields like "title" and trick a user into embedding this JSON via a shortcode in a WordPress post, causing the script to execute when the post is viewed or previewed.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Cross-Site Scripting attacks, allowing attackers to execute arbitrary JavaScript in the context of the affected website.

Such attacks can result in theft of sensitive information like cookies, session tokens, or other credentials, potentially leading to account takeover or unauthorized actions.

Since users with as low a role as Contributor can exploit this, it increases the risk from less privileged users.

The impact is especially severe if an administrator previews or views the compromised post, as the malicious script can execute with their privileges.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects the WordPress plugin "json-content-importer" versions prior to 2.0.10 and requires the PHP mbstring extension to be absent. Detection involves checking the plugin version and the PHP environment.'}, {'type': 'list_item', 'content': 'Verify the installed version of the json-content-importer plugin to ensure it is 2.0.10 or later.'}, {'type': 'list_item', 'content': 'Check if the PHP mbstring extension is installed, as the exploit requires it to be missing.'}, {'type': 'list_item', 'content': 'Look for posts containing the shortcode [jsoncontentimporter url="..."] which might be used to import JSON data.'}, {'type': 'paragraph', 'content': 'Suggested commands:'}, {'type': 'list_item', 'content': 'To check the plugin version, use WP-CLI: `wp plugin list | grep json-content-importer`'}, {'type': 'list_item', 'content': 'To check if mbstring is installed, run: `php -m | grep mbstring`'}, {'type': 'list_item', 'content': "To search for posts containing the shortcode, use a database query or WP-CLI: `wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content | grep '\\[jsoncontentimporter'`"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the json-content-importer WordPress plugin to version 2.0.10 or later, where the vulnerability is fixed.

Additionally, ensure that the PHP mbstring extension is installed on the server, as the exploit requires it to be absent.

Limit user roles and permissions to prevent contributors or lower roles from importing untrusted JSON data.

Review and remove any posts that embed the vulnerable shortcode with untrusted JSON URLs.

Useful 0 Not Useful 0