CVE-2025-15363
Cross-Site Scripting in Get Use APIs WordPress Plugin
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| json_content_importer | json_content_importer | to 2.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-15363 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "json-content-importer" versions before 2.0.10.'}, {'type': 'paragraph', 'content': 'The plugin executes imported JSON data without proper sanitization, which allows users with a Contributor role or higher to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'This vulnerability is exploitable particularly when the PHP mbstring extension is not installed on the server.'}, {'type': 'paragraph', 'content': 'An attacker can host a malicious JSON file containing script tags in fields like "title" and trick a user into embedding this JSON via a shortcode in a WordPress post, causing the script to execute when the post is viewed or previewed.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to Cross-Site Scripting attacks, allowing attackers to execute arbitrary JavaScript in the context of the affected website.
Such attacks can result in theft of sensitive information like cookies, session tokens, or other credentials, potentially leading to account takeover or unauthorized actions.
Since users with as low a role as Contributor can exploit this, it increases the risk from less privileged users.
The impact is especially severe if an administrator previews or views the compromised post, as the malicious script can execute with their privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects the WordPress plugin "json-content-importer" versions prior to 2.0.10 and requires the PHP mbstring extension to be absent. Detection involves checking the plugin version and the PHP environment.'}, {'type': 'list_item', 'content': 'Verify the installed version of the json-content-importer plugin to ensure it is 2.0.10 or later.'}, {'type': 'list_item', 'content': 'Check if the PHP mbstring extension is installed, as the exploit requires it to be missing.'}, {'type': 'list_item', 'content': 'Look for posts containing the shortcode [jsoncontentimporter url="..."] which might be used to import JSON data.'}, {'type': 'paragraph', 'content': 'Suggested commands:'}, {'type': 'list_item', 'content': 'To check the plugin version, use WP-CLI: `wp plugin list | grep json-content-importer`'}, {'type': 'list_item', 'content': 'To check if mbstring is installed, run: `php -m | grep mbstring`'}, {'type': 'list_item', 'content': "To search for posts containing the shortcode, use a database query or WP-CLI: `wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content | grep '\\[jsoncontentimporter'`"}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the json-content-importer WordPress plugin to version 2.0.10 or later, where the vulnerability is fixed.
Additionally, ensure that the PHP mbstring extension is installed on the server, as the exploit requires it to be absent.
Limit user roles and permissions to prevent contributors or lower roles from importing untrusted JSON data.
Review and remove any posts that embed the vulnerable shortcode with untrusted JSON URLs.