CVE-2025-15363

| EUVD-2025-208813 MEDIUM
2026-03-18 WPScan
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
PoC Detected
Mar 18, 2026 - 14:52 vuln.today
Public exploit code
EUVD ID Assigned
Mar 18, 2026 - 06:30 euvd
EUVD-2025-208813
Analysis Generated
Mar 18, 2026 - 06:30 vuln.today
CVE Published
Mar 18, 2026 - 06:00 nvd
MEDIUM 5.9

Tags

WordPress XSS Get Use Apis PHP

Description

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

Analysis

The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.

Technical Context

The vulnerability stems from improper handling of JSON input during the import functionality of the Get Use APIs plugin. The root cause is a failure to properly sanitize or validate JSON data before execution, which falls under the broader CWE category of improper input validation leading to code execution. The affected product, identified via CPE as cpe:2.3:a:unknown:get_use_apis:*:*:*:*:*:*:*:*, is a PHP-based WordPress plugin designed to provide API integration capabilities. The vulnerability exploits the fact that certain server configurations may allow direct execution of JSON content as code, particularly if the plugin uses functions like eval() or similar dynamic code execution patterns without proper escaping. This is exacerbated by the fact that even low-privileged users (contributors) can trigger the vulnerable import pathway.

Affected Products

The Get Use APIs WordPress plugin in all versions prior to 2.0.10 is affected, as confirmed by the CPE identifier cpe:2.3:a:unknown:get_use_apis:*:*:*:*:*:*:*:* and EUVD advisory listing versions 0 through 2.0.9 as vulnerable. The vulnerability impacts any WordPress installation running this plugin with an affected version. Administrators should consult the WPScan vulnerability database entry at https://wpscan.com/vulnerability/428d08bb-5329-4406-a785-131bae4ed085/ and the NIST NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-15363 for complete details.

Remediation

Immediately upgrade the Get Use APIs plugin to version 2.0.10 or later through the WordPress plugin administration panel or manually via the WordPress plugin repository. Until patching is possible, restrict contributor-level permissions to trusted users only and review existing contributor accounts for unauthorized access. Additionally, configure your WordPress site to disable JSON file imports from untrusted sources and implement Web Application Firewall (WAF) rules to detect and block XSS payloads in import requests. Monitor server logs for suspicious import activities referencing the plugin's import functionality. For comprehensive guidance, refer to the WPScan vulnerability advisory at https://wpscan.com/vulnerability/428d08bb-5329-4406-a785-131bae4ed085/.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: +20

Share

CVE-2025-15363 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy