What is the CVSS score of CVE-2025-15363?

CVE-2025-15363 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of WordPress are affected by CVE-2025-15363?

Organizations using Get Use APIs WordPress should be aware of moderate risk from CVE-2025-15363, a cross-site scripting vulnerability rated CVSS 5.9.. A patch is available.

Is there a public PoC exploit available for CVE-2025-15363?

Yes, a public proof-of-concept exploit is available for CVE-2025-15363. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-15363?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

WordPress CVE-2025-15363

EUVD-2025-208813 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-18 WPScan

WordPress XSS

5.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

2.0.10

PoC Detected

Mar 18, 2026 - 14:52 vuln.today

Public exploit code

EUVD ID Assigned

Mar 18, 2026 - 06:30 euvd

EUVD-2025-208813

Analysis Generated

Mar 18, 2026 - 06:30 vuln.today

CVE Published

Mar 18, 2026 - 06:00 nvd

MEDIUM 5.9

DescriptionNVD

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

AnalysisAI

The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.

Technical ContextAI

The vulnerability stems from improper handling of JSON input during the import functionality of the Get Use APIs plugin. The root cause is a failure to properly sanitize or validate JSON data before execution, which falls under the broader CWE category of improper input validation leading to code execution. The affected product, identified via CPE as cpe:2.3:a:unknown:get_use_apis:*:*:*:*:*:*:*:*, is a PHP-based WordPress plugin designed to provide API integration capabilities. The vulnerability exploits the fact that certain server configurations may allow direct execution of JSON content as code, particularly if the plugin uses functions like eval() or similar dynamic code execution patterns without proper escaping. This is exacerbated by the fact that even low-privileged users (contributors) can trigger the vulnerable import pathway.

RemediationAI

Immediately upgrade the Get Use APIs plugin to version 2.0.10 or later through the WordPress plugin administration panel or manually via the WordPress plugin repository. Until patching is possible, restrict contributor-level permissions to trusted users only and review existing contributor accounts for unauthorized access. Additionally, configure your WordPress site to disable JSON file imports from untrusted sources and implement Web Application Firewall (WAF) rules to detect and block XSS payloads in import requests. Monitor server logs for suspicious import activities referencing the plugin's import functionality. For comprehensive guidance, refer to the WPScan vulnerability advisory at https://wpscan.com/vulnerability/428d08bb-5329-4406-a785-131bae4ed085/.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH This Week

8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

CVE-2025-15363 vulnerability details – vuln.today

Back