Stored Cross-Site Scripting Vulnerability in JSON API User Plugin for WordPress
CVE-2026-9626
6.4MEDIUM
What is CVE-2026-9626?
The JSON API User plugin for WordPress has a vulnerability that allows authenticated users to exploit the 'content' parameter in the post_comment API endpoint. Due to a lack of proper input sanitization in the post_comment() function, attackers can inject malicious scripts into website pages. This vulnerability affects versions up to and including 4.1.0, enabling attackers with subscriber-level access or higher to bypass moderation controls by self-approving their comments. When these comments are viewed by users, the injected scripts execute, potentially compromising sensitive information or redirecting users to malicious sites.
Affected Version(s)
JSON API User 0 <= 4.1.0