Impact
The JSON API User plugin for WordPress contains a stored cross‑site scripting flaw in the post_comment() API endpoint. Attacker‑controlled content passed through the 'content' parameter is inserted into the database without sanitization and can be self‑approved with the 'comment_approved'=1 flag, allowing the comment to appear immediately. The result is that any user who loads a page that displays the comment will execute the injected scripts, potentially stealing cookies, hijacking sessions, or altering page content.
Affected Systems
The vulnerability affects all releases of the JSON API User plugin by parorrey from installation up to and including version 4.1.0. The fix was introduced in version 4.1.2 and later. WordPress sites that have the plugin installed and publish comments via the API are therefore at risk.
Risk and Exploitability
The flaw carries a CVSS score of 6.4, indicating a moderate severity. EPSS data is not available and the vulnerability is not currently listed in CISA's KEV catalog. Since the exploit requires only authenticated subscriber‑level access, it is likely to be leveraged on sites with many users; once a comment is inserted, the malicious script executes for all subsequent page views until the comment is removed.
OpenCVE Enrichment