[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEtRgRwMj2b-E4XzuzqCdXssS3RRhqAJbSmnSMkTXcHU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2025-15363","get-use-apis-json-content-importer-authenticated-contributor-stored-cross-site-scripting","Get Use APIs – JSON Content Importer \u003C 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Get Use APIs – JSON Content Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","json-content-importer",null,"\u003C2.0.10","2.0.10","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-19 00:00:00","2026-03-19 14:50:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fec857762-9506-4df0-afe6-7f738df976a2?source=api-prod",1,[22,23,24],"class-json-content-importer.php","json-content-importer.php","readme.txt","researched",false,3,"# Research Plan: CVE-2025-15363 - Get Use APIs – JSON Content Importer Stored XSS\n\n## 1. Vulnerability Summary\nThe **Get Use APIs – JSON Content Importer** plugin (versions \u003C 2.0.10) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape shortcode attributes before echoing them back to the page when \"debug mode\" is enabled. \n\nWhile the plugin attempts to restrict Contributors from using the shortcode via a `content_save_pre` filter and role checks within the execution function, these protections are bypassed when using **Gutenberg blocks**, which utilize a different storage format that evades the shortcode-specific filter. When an administrator views a page containing a maliciously crafted block, the XSS payload executes in their context.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (via Gutenberg Block).\n- **Vulnerable Function**: `JsonContentImporter::shortcodeExecute` (which is also used for block rendering).\n- **Payload Carry**: Shortcode\u002FBlock attributes, specifically `url` or any other attribute passed to the `atts` array.\n- **Preconditions**: \n    - The attacker must have `Contributor` level access or higher.\n    - The `debugmode` attribute must be set to `10`.\n    - The `apiaccesset` attribute should be set to a non-existent value to trigger the immediate error return path containing","The Get Use APIs – JSON Content Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes. Authenticated attackers with Contributor-level access or higher can bypass shortcode-specific security filters by using Gutenberg blocks and injecting malicious scripts into attributes that are reflected unescaped when 'debug mode' is enabled.","\u002F\u002F class-json-content-importer.php line 79\nprivate function showdebugmessage($message, $showDEBUG=TRUE){\n  if ($this->debugmode[$this->nestedlevel]!=10) {\n    return \"\";\n  }\n if ($showDEBUG) {\n    $this->debugmessage[$this->nestedlevel] .= __('DEBUG' , 'json-content-importer').' ('.$this->nestedlevel.'-'.$this->debugmode[$this->nestedlevel].'): ';\n }\n  $this->debugmessage[$this->nestedlevel] .= \"$message\u003Cbr>\";\n}\n\n---\n\n\u002F\u002F json-content-importer.php line 135\nadd_filter('content_save_pre', function ($content) {\n\tif ( ! has_shortcode( $content, 'jsoncontentimporter' ) ) {\n\t\treturn $content;\n\t}\n\tif ( current_user_can( 'unfiltered_html' ) ) {\n\t\treturn $content;\n\t}\n\t$re = get_shortcode_regex( [ 'jsoncontentimporter' ] );\n\treturn preg_replace_callback( \"\u002F$re\u002Fs\", function( $m ) {\n\t\tif ( $m[2] !== 'jsoncontentimporter' ) return $m[0];\n\t\treturn '\u003C!-- Blocked: You have added the jsoncontentimporter shortcode. This is not allowed with your current WordPress permissions. -->';\n\t\t}, $content );\n}, 20);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.9\u002Fclass-json-content-importer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.10\u002Fclass-json-content-importer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.9\u002Fclass-json-content-importer.php\t2026-02-19 20:31:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.10\u002Fclass-json-content-importer.php\t2026-02-20 04:35:06.000000000 +0000\n@@ -143,9 +143,9 @@\n \t}\n \t   \n \t   \n-\tif ( ! current_user_can( 'unfiltered_html' ) ) {\n-\t\treturn 'shortcode disabled';\n-\t}\t   \n+#if ( ! current_user_can( 'unfiltered_html' ) ) {\n+#\treturn 'shortcode disabled';\n+#}\t   \n \t   \n \t   \n \t   \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.9\u002Fjson-content-importer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.10\u002Fjson-content-importer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.9\u002Fjson-content-importer.php\t2026-02-19 20:31:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjson-content-importer\u002F2.0.10\u002Fjson-content-importer.php\t2026-02-20 04:35:06.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Get Use APIs - JSON Content Importer\n Plugin URI: https:\u002F\u002Fjson-content-importer.com\u002F\n Description: Plugin to import, cache and display a JSON-Feed. Display is done with wordpress-shortcode or gutenberg-block.\n-Version: 2.0.9\n+Version: 2.0.10\n Author: Bernhard Kux\n Author URI: https:\u002F\u002Fjson-content-importer.com\u002F\n Text Domain: json-content-importer\n@@ -21,7 +21,7 @@\n \texit;\n }\n defined('ABSPATH') OR exit;\n-define( 'JCIFREE_VERSION', '2.0.9' );\n+define( 'JCIFREE_VERSION', '2.0.10' );\n define( 'JCIFREE_UO_AUTOLOAD', FALSE); # FALSE: update_option does not load values everytime, but only if really needed\n \n function jcifree_getjson($api_set, $convert_xmlcsv_to_json=FALSE, $cacheinsec=0, $debugmode=FALSE) {","The exploit targets the plugin's debug output functionality which reflects input attributes without sanitization. \n\n1. Authentication: The attacker requires Contributor-level access or higher to create or edit posts.\n2. Bypass: While the plugin uses a 'content_save_pre' filter to block the [jsoncontentimporter] shortcode for non-admins, it does not account for Gutenberg blocks. The attacker inserts a JCI Gutenberg block into a post.\n3. Payload: The attacker crafts the block attributes to include 'debugmode=\"10\"' and a malicious script in an attribute that is reflected in error messages, such as 'url' or 'apiaccesset' (e.g., apiaccesset=\"\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\").\n4. Trigger: The attacker ensures the plugin hits an error path, for example by providing a non-existent 'apiaccesset' name. \n5. Execution: When an administrator views the post (either in the editor or the public preview), the plugin generates a debug\u002Ferror message containing the unescaped payload, which executes in the admin's browser session.","gemini-3-flash-preview","2026-04-18 02:19:22","2026-04-18 02:20:12",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjson-content-importer\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjson-content-importer.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjson-content-importer\u002Ftags\u002F2.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjson-content-importer.2.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjson-content-importer\u002Ftags"]