Get Use APIs – JSON Content Importer < 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Get Use APIs – JSON Content Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<2.0.10What Changed in the Fix
Changes introduced in v2.0.10
Source Code
WordPress.org SVN# Research Plan: CVE-2025-15363 - Get Use APIs – JSON Content Importer Stored XSS ## 1. Vulnerability Summary The **Get Use APIs – JSON Content Importer** plugin (versions < 2.0.10) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize…
Show full research plan
Research Plan: CVE-2025-15363 - Get Use APIs – JSON Content Importer Stored XSS
1. Vulnerability Summary
The Get Use APIs – JSON Content Importer plugin (versions < 2.0.10) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to sanitize or escape shortcode attributes before echoing them back to the page when "debug mode" is enabled.
While the plugin attempts to restrict Contributors from using the shortcode via a content_save_pre filter and role checks within the execution function, these protections are bypassed when using Gutenberg blocks, which utilize a different storage format that evades the shortcode-specific filter. When an administrator views a page containing a maliciously crafted block, the XSS payload executes in their context.
2. Attack Vector Analysis
- Endpoint: WordPress Post/Page Editor (via Gutenberg Block).
- Vulnerable Function:
JsonContentImporter::shortcodeExecute(which is also used for block rendering). - Payload Carry: Shortcode/Block attributes, specifically
urlor any other attribute passed to theattsarray. - Preconditions:
- The attacker must have
Contributorlevel access or higher. - The
debugmodeattribute must be set to10. - The
apiaccessetattribute should be set to a non-existent value to trigger the immediate error return path containing
- The attacker must have
Summary
The Get Use APIs – JSON Content Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes. Authenticated attackers with Contributor-level access or higher can bypass shortcode-specific security filters by using Gutenberg blocks and injecting malicious scripts into attributes that are reflected unescaped when 'debug mode' is enabled.
Vulnerable Code
// class-json-content-importer.php line 79 private function showdebugmessage($message, $showDEBUG=TRUE){ if ($this->debugmode[$this->nestedlevel]!=10) { return ""; } if ($showDEBUG) { $this->debugmessage[$this->nestedlevel] .= __('DEBUG' , 'json-content-importer').' ('.$this->nestedlevel.'-'.$this->debugmode[$this->nestedlevel].'): '; } $this->debugmessage[$this->nestedlevel] .= "$message<br>"; } --- // json-content-importer.php line 135 add_filter('content_save_pre', function ($content) { if ( ! has_shortcode( $content, 'jsoncontentimporter' ) ) { return $content; } if ( current_user_can( 'unfiltered_html' ) ) { return $content; } $re = get_shortcode_regex( [ 'jsoncontentimporter' ] ); return preg_replace_callback( "/$re/s", function( $m ) { if ( $m[2] !== 'jsoncontentimporter' ) return $m[0]; return '<!-- Blocked: You have added the jsoncontentimporter shortcode. This is not allowed with your current WordPress permissions. -->'; }, $content ); }, 20);
Security Fix
@@ -143,9 +143,9 @@ } - if ( ! current_user_can( 'unfiltered_html' ) ) { - return 'shortcode disabled'; - } +#if ( ! current_user_can( 'unfiltered_html' ) ) { +# return 'shortcode disabled'; +#} @@ -3,7 +3,7 @@ Plugin Name: Get Use APIs - JSON Content Importer Plugin URI: https://json-content-importer.com/ Description: Plugin to import, cache and display a JSON-Feed. Display is done with wordpress-shortcode or gutenberg-block. -Version: 2.0.9 +Version: 2.0.10 Author: Bernhard Kux Author URI: https://json-content-importer.com/ Text Domain: json-content-importer @@ -21,7 +21,7 @@ exit; } defined('ABSPATH') OR exit; -define( 'JCIFREE_VERSION', '2.0.9' ); +define( 'JCIFREE_VERSION', '2.0.10' ); define( 'JCIFREE_UO_AUTOLOAD', FALSE); # FALSE: update_option does not load values everytime, but only if really needed function jcifree_getjson($api_set, $convert_xmlcsv_to_json=FALSE, $cacheinsec=0, $debugmode=FALSE) {
Exploit Outline
The exploit targets the plugin's debug output functionality which reflects input attributes without sanitization. 1. Authentication: The attacker requires Contributor-level access or higher to create or edit posts. 2. Bypass: While the plugin uses a 'content_save_pre' filter to block the [jsoncontentimporter] shortcode for non-admins, it does not account for Gutenberg blocks. The attacker inserts a JCI Gutenberg block into a post. 3. Payload: The attacker crafts the block attributes to include 'debugmode="10"' and a malicious script in an attribute that is reflected in error messages, such as 'url' or 'apiaccesset' (e.g., apiaccesset="<script>alert(document.cookie)</script>"). 4. Trigger: The attacker ensures the plugin hits an error path, for example by providing a non-existent 'apiaccesset' name. 5. Execution: When an administrator views the post (either in the editor or the public preview), the plugin generates a debug/error message containing the unescaped payload, which executes in the admin's browser session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.