CVE-2025-15363 PUBLISHED

Get Use APIs < 2.0.10 - Contributor+ Stored XSS

Assigner: WPScan
Reserved: 30.12.2025 Published: 18.03.2026 Updated: 18.03.2026

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.

Product Status

Vendor	Unknown
Product	Get Use APIs
Versions	Default: unaffected affected from 0 to 2.0.10 (excl.)

Credits

Ahmed Makawi finder
WPScan coordinator

References

https://wpscan.com/vulnerability/428d08bb-5329-4406-a785-131bae4ed085/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE