CVE-2025-15363

Vulnerability

Overview The Get Use APIs WordPress plugin (also known as json-content-importer) prior to version 2.0.10 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin executes imported JSON data without proper sanitization or output escaping, allowing malicious JavaScript to be injected and stored. This issue is classified under CWE-79 and affects the plugin's handling of JSON content [1].

Exploitation

Conditions An attacker must have at least a Contributor role in WordPress to exploit this vulnerability. The attack is possible under certain server configurations, likely related to the availability of the mbstring PHP extension, as referenced in the advisory [1]. The attacker imports a crafted JSON payload that includes JavaScript code, which is then executed when the stored data is rendered on a page.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of other users, including administrators. This can result in session hijacking, cookie theft, or unauthorized actions performed on behalf of the victim. The CVSS v3 score is 5.9 (Medium) [1].

Mitigation

The vulnerability is fixed in version 2.0.10 of the Get Use APIs plugin. Users are strongly advised to update to the latest version immediately. No workarounds are documented, and the plugin's vendor has released the patch to address the issue [1].