Home

Description

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

PUBLISHED Reserved 2025-12-30 | Published 2026-03-18 | Updated 2026-03-18 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 2.0.10
affected

Credits

Ahmed Makawi finder

WPScan coordinator

References

wpscan.com/...rability/428d08bb-5329-4406-a785-131bae4ed085/ exploit vdb-entry technical-description

cve.org (CVE-2025-15363)

nvd.nist.gov (CVE-2025-15363)

Download JSON