Skip to main content

Json Api User

2 CVEs product

Monthly

CVE-2026-9626 MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-6624 CRITICAL PATCH Act Now

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 43.5%.

Privilege Escalation WordPress Json Api User
NVD
CVSS 3.1
9.8
EPSS
43.5%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
EPSS 43% CVSS 9.8
CRITICAL PATCH Act Now

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 43.5%.

Privilege Escalation WordPress Json Api User
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy