Stored Cross-Site Scripting Vulnerability in JSON API User Plugin for WordPress
CVE-2026-9626

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
3 July 2026

What is CVE-2026-9626?

The JSON API User plugin for WordPress has a vulnerability that allows authenticated users to exploit the 'content' parameter in the post_comment API endpoint. Due to a lack of proper input sanitization in the post_comment() function, attackers can inject malicious scripts into website pages. This vulnerability affects versions up to and including 4.1.0, enabling attackers with subscriber-level access or higher to bypass moderation controls by self-approving their comments. When these comments are viewed by users, the injected scripts execute, potentially compromising sensitive information or redirecting users to malicious sites.

Affected Version(s)

JSON API User 0 <= 4.1.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yat
.