Get Use APIs WordPress Plugin Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Get Use APIs WordPress plugin, affecting versions prior to 2.0.10. The issue arises because the plugin executes imported JSON, which could enable users with a contributor role to perform cross-site scripting attacks, depending on the server configuration.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, log in as a contributor and create a WordPress post. Remove the 'mbstring' PHP extension if it is installed. Then, create a malicious JSON file containing a script tag, such as an alert displaying cookie information, and host it at a publicly accessible URL. In the WordPress post, use the 'jsoncontentimporter' shortcode to import the malicious JSON. Once the post is drafted, preview it as an admin to see the cross-site scripting alert.