Description
The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.
Published: 2026-03-18
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Get Use APIs WordPress plugin prior to version 2.0.10 can execute JavaScript contained in imported JSON. A contributor‑level user can force the plugin to import a crafted JSON file, causing the site to render user‑supplied script. This stored XSS vulnerability can lead to session hijacking, data theft, or other client‑side attacks on any visitor who views the compromised content.

Affected Systems

The flaw affects the Get Use APIs plugin with any release before 2.0.10, regardless of the WordPress host. Administrators should check the installed plugin version. No additional whitelist or dependences are listed.

Risk and Exploitability

The vulnerability has a CVSS score of 5.9, indicating moderate severity. EPSS is below 1%, suggesting low current exploitation probability, and it is not listed in CISA’s Known Exploited Vulnerabilities catalog. Likely attack vectors involve a contributor uploading malicious JSON through the import feature, which is publicly accessible on the site; the necessary conditions are that the user has contributor rights and that the plugin processes the JSON without proper filtering.

Generated by OpenCVE AI on March 18, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Get Use APIs plugin to version 2.0.10 or later.

Generated by OpenCVE AI on March 18, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Berkux
Berkux get Use Apis
Wordpress
Wordpress wordpress
Vendors & Products Berkux
Berkux get Use Apis
Wordpress
Wordpress wordpress

Wed, 18 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.
Title Get Use APIs < 2.0.10 - Contributor+ Stored XSS
References

Subscriptions

Berkux Get Use Apis
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-18T13:33:20.817Z

Reserved: 2025-12-30T13:51:48.843Z

Link: CVE-2025-15363

cve-icon Vulnrichment

Updated: 2026-03-18T13:30:33.589Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T07:16:21.187

Modified: 2026-04-15T15:05:47.827

Link: CVE-2025-15363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:16Z

Weaknesses