JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

Nom du plugin	Plugin d'importation de contenu JSON WordPress
Type de vulnérabilité	Script intersite (XSS)
Numéro CVE	CVE-2025-15363
Urgence	Moyen
Date de publication CVE	2026-03-19
URL source	CVE-2025-15363

JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

Publié : 2026-03-19

En tant que professionnels de la sécurité basés à Hong Kong avec une expérience pratique en réponse aux incidents WordPress, cet article fournit une analyse technique de CVE‑2025‑15363 (XSS stocké) affectant les versions du plugin Importateur de contenu JSON antérieures à 2.0.10. L'objectif est pragmatique : expliquer les mécanismes, l'impact réaliste, les techniques de détection, les étapes de confinement et les mesures de durcissement à long terme pour réduire le risque pendant que vous appliquez le correctif du fournisseur.

Résumé rapide (tl;dr)

Un XSS stocké existe dans le plugin Importateur de contenu JSON avant la version 2.0.10.
La vulnérabilité peut être exploitée par des comptes ayant des privilèges de Contributor ou supérieurs.
L'exploitation réussie nécessite l'interaction d'un utilisateur privilégié (par exemple, visualiser un post conçu dans l'admin), donc l'ingénierie sociale est souvent impliquée.
CVSS (valeur rapportée) est de 6.5 — impact moyen-élevé pour les sites avec des rôles de Contributor et des flux de travail de révision active par des éditeurs/admins.
Mettez à jour vers 2.0.10 (ou version ultérieure) comme solution définitive. Si vous ne pouvez pas mettre à jour immédiatement, appliquez les atténuations temporaires décrites ci-dessous.

Pourquoi le XSS stocké est important dans WordPress

Le XSS stocké est dangereux car les entrées malveillantes sont persistées sur le site (posts, postmeta, paramètres de plugin, commentaires, etc.) et exécutées plus tard dans le contexte du navigateur d'une victime. Dans WordPress, les utilisateurs admin sont les victimes de la plus haute valeur : si un attaquant peut exécuter un script dans la session d'un administrateur, la prise de contrôle du site est possible.

Conséquences courantes après exploitation :

Vol de session admin (détournement de cookie/session) menant à la prise de contrôle du site.
Escalade de privilèges via des actions pilotées par JavaScript (création de nouveaux utilisateurs admin, changement d'options via AJAX).
Installation de portes dérobées persistantes ou de shells web.
Distribution de logiciels malveillants ou de formulaires de collecte de données d'identification aux visiteurs du site.
Injection de contenu, spam SEO et dommages à la réputation à long terme.

Comment cette vulnérabilité spécifique fonctionne — niveau élevé

Un utilisateur avec des capacités de Contributor (ou supérieures) soumet des données à un point de terminaison ou une interface utilisateur fournie par le plugin — par exemple, un champ d'importation ou une zone où le contenu ou le balisage JSON est stocké.
Le plugin persiste les données sans les assainir ou les échapper adéquatement lors de leur sortie ultérieure dans une page d'administration (ou autre page visitée par des utilisateurs privilégiés).
Un Administrateur ou un Éditeur ouvre la page affectée dans le tableau de bord (ou en aperçu), et le JavaScript injecté s'exécute dans leur navigateur.
Le script effectue des actions privilégiées (utilisant des cookies, appelant des actions AJAX administratives, créant des utilisateurs, exfiltrant des jetons), permettant une prise de contrôle ou un compromis persistant.

Points clés : L'exploitation nécessite qu'un utilisateur privilégié consulte la charge utile stockée ; l'attaquant initial n'a besoin que d'un accès contributeur. Cela est significatif pour les sites qui acceptent des soumissions de contributeurs ou permettent des importations de contenu à partir de sources externes.

Scénarios d'exploitation réalistes

Des contributeurs bénévoles soumettent des brouillons sur un site d'actualités. Un attaquant inclut une charge utile JSON conçue qui s'exécute lorsqu'un Éditeur examine le brouillon.
Un compte de contractant compromis ou un contractant malveillant fournit la charge utile via la fonctionnalité d'importation du plugin.
Sites ingérant des JSON/RSS distants : un attaquant modifie la source ou injecte des charges utiles alimentées au plugin.
Ingénierie sociale : l'attaquant demande à un Éditeur de “veuillez examiner mon post”, augmentant la chance que la charge utile soit vue.

Liste de contrôle d'action immédiate — que faire maintenant (0–72 heures)

Mettez à jour le plugin vers 2.0.10 (ou version ultérieure) immédiatement si vous utilisez JSON Content Importer. C'est la seule solution permanente.
Si vous ne pouvez pas mettre à jour immédiatement :
- Désactivez ou désinstallez le plugin jusqu'à ce que vous puissiez appliquer un correctif.
- Restreignez l'accès aux points de terminaison du plugin (voir les exemples temporaires de WAF/htaccess ci-dessous).
- Supprimez temporairement la capacité de Contributeur d'interagir avec le plugin ou restreignez les actions du rôle de Contributeur.
Scannez à la recherche d'indicateurs de compromission (IOC) :
- Recherchez des balises script dans les publications, postmeta et autres tables de plugins.
- Vérifiez les fichiers pour des fichiers PHP nouvellement ajoutés ou des modifications récentes.
- Recherchez des administrateurs créés ou des changements de rôle inattendus.
Forcez la réinitialisation des mots de passe pour tous les administrateurs et comptes privilégiés si vous détectez une activité suspecte.
Assurez-vous que des sauvegardes sont disponibles et effectuez une nouvelle sauvegarde avant la remédiation.

How to detect if you’ve been targeted / exploited

Le XSS stocké peut être furtif. Utilisez des analyses automatisées ainsi que des requêtes manuelles dans la base de données et un examen des journaux.

Recherchez des balises script dans la base de données :

-- Posts containing script tags
SELECT ID, post_title, post_author, post_date
FROM wp_posts
WHERE post_content LIKE '%


Search for common JS payload patterns:

onerror=
onload=
javascript:

</ul>
<p>Example WP‑CLI command:</p>
<pre><code># Search for "<script" in post content using WP-CLI
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%';"</code></pre>
<p>Server log review:</p>
<ul>
<li>Look for suspicious POST requests to plugin endpoints such as admin-ajax.php, plugin import endpoints, or unusual REST calls mapping to plugin routes.</li>
<li>Check for requests from unfamiliar IPs or spikes in contributor activity.</li>
</ul>
<p>Browser console evidence: administrators reporting popups, unexpected redirects, or automatic downloads may indicate JS execution.</p>
<p>File system checks:</p>
<pre><code># Find PHP files modified in last 14 days
find /var/www/html -type f -iname '*.php' -mtime -14 -ls</code></pre>
<p>User accounts:</p>
<pre><code>wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --role=subscriber --role=contributor --fields=ID,user_login,user_email,user_registered</code></pre>
<h2 id="incident-response-if-you-suspect-compromise">Incident response — if you suspect compromise</h2>
<ol>
<li>Isolate the environment: put the site into maintenance mode or temporarily take it offline; isolate credentials and processes if hosting multiple sites on the same server.</li>
<li>Take a full backup (files + DB) immediately for forensics.</li>
<li>Identify the attack vector and affected records (use the detection queries above).</li>
<li>Clean the site:
<ul>
<li>Remove malicious entries from post_content/postmeta (manually or via clean backups).</li>
<li>Remove injected files and malicious scheduled tasks.</li>
<li>Reinstall core and plugin files from known clean sources.</li>
</ul>
</li>
<li>Reset credentials:
<ul>
<li>Force password reset for all admin users.</li>
<li>Rotate API keys, webhook secrets, and tokens stored on the site.</li>
</ul>
</li>
<li>Verify integrity with malware scans and log inspection for persistence or beaconing.</li>
<li>Restore from a clean backup if necessary.</li>
<li>Review and harden: update the plugin to 2.0.10+, re‑examine user roles and remove unnecessary contributor accounts, and deploy temporary request filtering where needed.</li>
</ol>
<p>If you are unsure at any step, engage a qualified WordPress security professional; persistent backdoors can be subtle and difficult to detect.</p>
<h2 id="short-term-mitigations-and-virtual-patching-waf-rules">Short‑term mitigations and virtual patching (WAF rules)</h2>
<p>If you cannot patch immediately, virtual patching with a properly configured WAF can reduce exposure. The examples below are generic and must be adapted and tested for your environment.</p>
<ol>
<li>Block common XSS payload patterns in requests targeting plugin endpoints:
<ul>
<li>Block if request contains “<script”, “onerror=”, “onload=”, “javascript:”, “svg/onload”, “img/onerror”.</li>
</ul>
</li>
<li>Rate limit POST requests to plugin endpoints and admin AJAX.</li>
<li>Restrict REQUEST_URI patterns that match plugin import paths if those endpoints are unused.</li>
</ol>
<p>Example ModSecurity style rule (adapt to your WAF platform):</p>
<pre><code># Example pattern-based WAF rule — adapt IDs & syntax to your WAF
SecRule REQUEST_URI "@pm /wp-admin/admin.php /wp-admin/admin-ajax.php /wp-json/" \
 "phase:2,t:none,chain,log,deny,msg:'Block potential stored XSS to plugin import endpoints',id:1000001"
  SecRule REQUEST_BODY|ARGS|ARGS_NAMES|XML:/* "@rx (<script\b|onerror\s*=|onload\s*=|javascript:|alert\(|<svg\b.*onload)" \
  "t:none,log,deny,status:403"</code></pre>
<p>Important: pattern matching may produce false positives. Run in log mode initially to tune rules before enforcing deny.</p>
<p>Temporary .htaccess protection for plugin folder:</p>
<pre><code># Deny access to plugin admin endpoints unless from trusted IPs (example)
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/wp-content/plugins/json-content-importer/ [NC]
  # Allow trusted admin IP e.g. 203.0.113.5
  RewriteCond %{REMOTE_ADDR} !^203\.0\.113\.5$
  RewriteRule ^.* - [F,L]
</IfModule></code></pre>
<p>Or deny public access to specific plugin PHP files unless strictly necessary.</p>
<h2 id="hardening-recommendations-long-term">Hardening recommendations (long term)</h2>
<ul>
<li>Keep everything updated — WordPress core, themes, and plugins.</li>
<li>Enforce least privilege: only grant Contributor or higher when required; consider manual approval for new contributors.</li>
<li>Require two‑factor authentication for elevated roles.</li>
<li>Reduce attack surface: uninstall or disable unused plugins, especially those that parse or import remote content.</li>
<li>Sanitize and escape:
<ul>
<li>Perform server‑side sanitization on input that may be output to admin pages.</li>
<li>Ensure plugin output is escaped using esc_html, esc_attr, wp_kses_post where appropriate.</li>
</ul>
</li>
<li>Implement a Content Security Policy (CSP) where compatible to limit inline script execution.</li>
<li>Prefer role‑scoped preview workflows that avoid exposing raw HTML from contributors to admins.</li>
<li>Log and monitor admin activity, file changes, and set up integrity checking (file hashes) and scheduled malware scans.</li>
<li>Harden file permissions and disable file editing by defining DISALLOW_FILE_EDIT in wp-config.php.</li>
<li>Choose plugins with active maintenance and a good security track record.</li>
</ul>
<h2 id="developer-checklist-what-to-fix-in-plugin-code">Developer checklist — what to fix in plugin code</h2>
<p>If you are auditing or maintaining code:</p>
<ul>
<li>Validate and sanitize all user‑controlled input before persisting to the database. Use wp_kses() / wp_kses_post() with a strict allowed set when HTML is expected.</li>
<li>Escape output when rendering in admin pages: esc_html(), esc_attr(), wp_kses_post(). Never echo unescaped HTML coming from untrusted users into admin pages.</li>
<li>Use nonce and capability checks on endpoints that accept input.</li>
<li>Avoid rendering raw JSON or unchecked data inside inline script blocks. If serializing data into JS, use wp_json_encode() and appropriate escaping.</li>
<li>Do not trust user roles alone — add contextual validation where appropriate.</li>
</ul>
<h2 id="useful-detection-cleanup-scripts">Useful detection & cleanup scripts</h2>
<p>Practical queries and commands you can run immediately.</p>
<pre><code>-- Search for "onerror=" and "onload=" in post content
SELECT ID, post_title, post_modified
FROM wp_posts
WHERE post_content LIKE '%onerror=%' OR post_content LIKE '%onload=%' OR post_content LIKE '%javascript:%';

-- Search for "<script" occurrences in postmeta
SELECT post_id, meta_key
FROM wp_postmeta
WHERE meta_value LIKE '%<script%';</code></pre>
<p>WP‑CLI example (use with caution and backups):</p>
<pre><code># Replace dangerous script tags with sanitized entity (backup first)
wp db query "UPDATE wp_posts SET post_content = REPLACE(post_content, '<script', '&lt;script') WHERE post_content LIKE '%<script%';"</code></pre>
<p>A safer approach is to export suspicious records and manually review before mass changes.</p>
<h2 id="why-a-waf-helps">Why a WAF helps</h2>
<p>A properly configured Web Application Firewall provides important short‑term benefits while you update vulnerable components:</p>
<ul>
<li>Virtual patching: block exploit patterns targeting plugin endpoints before the vendor update is applied.</li>
<li>Request inspection: catch and block payloads containing inline scripts, suspicious attributes, or known XSS signatures.</li>
<li>Detection: log and alert on suspicious requests, enabling faster incident response.</li>
</ul>
<p>WAFs are a layer in defense‑in‑depth and not a replacement for patching vulnerable code.</p>
<h2 id="example-waf-rule-logic-to-apply">Example WAF rule logic to apply</h2>
<ul>
<li>Deny POST requests with payloads containing common XSS constructs when targeting the plugin’s import/admin endpoints.</li>
<li>Block requests that include HTTP parameters like content= or json= with <script or onerror= patterns.</li>
<li>Run detection (log) mode first, tune rules to reduce false positives, then enable blocking.</li>
</ul>
<h2 id="practical-configuration-examples">Practical configuration examples</h2>
<ol>
<li>Limit Contributor role capabilities: remove upload_files and other unnecessary capabilities from Contributor.</li>
<li>Sanitize saves globally (temporary mu‑plugin):</li>
</ol>
<pre><code><?php
// Put in an mu-plugin to sanitize post content when saved by contributors
add_action('save_post', 'hk_sanitize_contributor_content', 10, 3);
function hk_sanitize_contributor_content($post_ID, $post, $update) {
  if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) return;
  $user = wp_get_current_user();
  if (in_array('contributor', (array)$user->roles)) {
    $clean = wp_kses($post->post_content, wp_kses_allowed_html('post'));
    if ($clean !== $post->post_content) {
      // Prevent infinite loop: remove action, update, re-add
      remove_action('save_post', 'hk_sanitize_contributor_content', 10);
      wp_update_post(array('ID' => $post_ID, 'post_content' => $clean));
      add_action('save_post', 'hk_sanitize_contributor_content', 10, 3);
    }
  }
}
?></code></pre>
<p>This is a temporary mitigation and does not replace the official plugin patch.</p>
<h2 id="post-update-verification">Post‑update verification</h2>
<ol>
<li>Confirm the plugin update applied successfully.</li>
<li>Re‑scan the database for XSS artifacts (script tags, event handlers).</li>
<li>Inspect admin pages where plugin output is shown to confirm values are escaped.</li>
<li>Review access logs for exploitation attempts and confirm any WAF logging shows expected entries.</li>
<li>Rotate admin credentials and API keys if you found evidence of compromise.</li>
</ol>
<h2 id="frequently-asked-questions">Frequently asked questions</h2>
<h3 id="q-im-a-small-blog-with-no-contributors-am-i-at-risk">Q: I’m a small blog with no contributors — am I at risk?</h3>
<p>A: Lower risk, but not zero. If any role beyond Subscriber interacts with the plugin, or if the plugin consumes remote JSON, you may be vulnerable. Update the plugin and review your usage.</p>
<h3 id="q-if-i-uninstall-the-plugin-does-that-remove-the-stored-payload">Q: If I uninstall the plugin, does that remove the stored payload?</h3>
<p>A: Not necessarily. Uninstalling may leave data in the database (options, postmeta). You should search for and remove malicious content in the database regardless of plugin removal.</p>
<h3 id="q-does-this-affect-front-end-only-or-admin-pages-too">Q: Does this affect front end only, or admin pages too?</h3>
<p>A: Stored XSS persists and can execute in any context that renders the malicious data — including admin pages. Admin UI rendering is particularly high risk.</p>
<h2 id="best-practices-recap">Best practices recap</h2>
<ul>
<li>Update the plugin to 2.0.10 immediately.</li>
<li>If you cannot update, disable the plugin, restrict Contributor access, and deploy virtual patches.</li>
<li>Scan the database and files for injected scripts and suspicious changes.</li>
<li>Enforce least privilege and require 2FA for elevated roles.</li>
<li>Implement monitoring, integrity checks, and a layered security posture with logging and regular scans.</li>
</ul>
<h2 id="example-forensic-checklist-what-to-look-for-after-an-exploit">Example forensic checklist (what to look for after an exploit)</h2>
<ul>
<li>New or modified admin users in the last 30 days.</li>
<li>Unexpected scheduled tasks (wp_cron entries calling unknown PHP files).</li>
<li>Database entries in wp_posts/postmeta containing <script> tags or onerror/onload attributes.</li>
<li>Modified core/plugin/theme files, especially if edited outside maintenance windows.</li>
<li>Outbound connections to suspicious IPs or domains (beacons).</li>
<li>Access logs showing POSTs to plugin import endpoints with suspicious payloads.</li>
</ul>
<h2 id="final-thoughts-from-a-hong-kong-security-expert">Final thoughts from a Hong Kong security expert</h2>
<p>Stored XSS that can be inserted by low‑privileged actors is particularly dangerous in CMS environments because it leverages normal human workflows like content review. Social engineering makes exploitation low effort and high impact. Patch as the primary remediation, and simultaneously apply short‑term mitigations — virtual patching, role restrictions, server‑side sanitization, and monitoring — to reduce the risk window.</p>
<p>If you require help implementing rules, running a forensic scan, or performing incident response, engage an experienced WordPress security practitioner. Rapid, careful investigation is critical when you suspect compromise.</p>
<p>Stay vigilant, keep plugins updated, and apply least privilege across content workflows.</p>
<p><em>— Hong Kong WordPress Security Advisory</em></p>
</article>
<p></body><br />
</html></p>

		</div>
		<section class="post-tags"><ul><li><h5 class="title-tags">Étiquettes :</h5></li><li><a href="https://wp-security.org/fr/tag/wordpress-security/" rel="tag">WordPress Security</a></li></ul></section>		<div class="pk-share-buttons-wrap pk-share-buttons-layout-default pk-share-buttons-scheme-bold-bg pk-share-buttons-has-counts pk-share-buttons-has-total-counts pk-share-buttons-after-post pk-share-buttons-mode-php pk-share-buttons-mode-rest" data-post-id="3543" data-share-url="https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/" >

							<div class="pk-share-buttons-total pk-share-buttons-total-no-count">
							<div class="pk-share-buttons-count cs-font-primary">0 Shares:</div>
						</div>
				
			<div class="pk-share-buttons-items">

										<div class="pk-share-buttons-item pk-share-buttons-facebook pk-share-buttons-no-count" data-id="facebook">

							<a href="https://www.facebook.com/sharer.php?u=https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-facebook"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">Partager</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
											<div class="pk-share-buttons-item pk-share-buttons-twitter pk-share-buttons-no-count" data-id="twitter">

							<a href="https://x.com/share?&text=%3Ctrp-post-container%20data-trp-post-id%3D%273543%27%3ECommunity%20Alert%20XSS%20in%20JSON%20Importer%28CVE202515363%29%3C%2Ftrp-post-container%3E&url=https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-twitter"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">Tweeter</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
											<div class="pk-share-buttons-item pk-share-buttons-pinterest pk-share-buttons-no-count" data-id="pinterest">

							<a href="https://pinterest.com/pin/create/bookmarklet/?url=https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/&media=https://wp-security.org/wp-content/uploads/2026/03/2026-03-19CVE202515363WordPress-JSON-Content-Importer-Plugin-1024x576.jpg" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-pinterest"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">Épingler</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
								</div>
		</div>
	

<section class="post-author">

	<div class="authors-compact">

			<div class="author-wrap">
			<div class="author">
				<div class="author-avatar">
					<a href="https://wp-security.org/fr/author/wp-security/" rel="author">
						<img alt='' src='https://secure.gravatar.com/avatar/16bf83a02c7c3aa39247769e866366c2ea8ccfb8bd88a16ef3ac35925a1da888?s=120&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/16bf83a02c7c3aa39247769e866366c2ea8ccfb8bd88a16ef3ac35925a1da888?s=240&#038;d=mm&#038;r=g 2x' class='avatar avatar-120 photo' height='120' width='120' decoding='async'/>					</a>
				</div>
				<div class="author-description">
					<h5 class="title-author">
						<span class="fn">
							<a href="https://wp-security.org/fr/author/wp-security/" rel="author">
								WP Security Vulnerability Report							</a>
						</span>
					</h5>
					<p class="note"></p>
									</div>
			</div>
		</div>
	
	</div>

</section>


<div id="disqus_thread"></div>
	</div>

				</div>
			
	
</article>

					<div class="post-prev-next">
						<a class="link-item prev-link" href="https://wp-security.org/fr/vulnerability-database/secure-community-database-reporting-guidenone/">
					<div class="link-content">
						<div class="link-label">
							<span class="link-arrow"></span><span class="link-text"> — Article précédent</span>
						</div>

						<h2 class="entry-title">
							Secure Community Database Reporting Guide(None)						</h2>
					</div>
				</a>
							<a class="link-item next-link" href="https://wp-security.org/fr/vulnerability-database/hong-kong-security-advisory-code-embed-xsscve20262512/">
					<div class="link-content">
						<div class="link-label">
							<span class="link-text">Article suivant — </span><span class="link-arrow"></span>
						</div>

						<h2 class="entry-title">
							Hong Kong Security Advisory Code Embed XSS(CVE20262512)						</h2>
					</div>
				</a>
				</div>
		<section class="post-archive archive-related">

			<div class="archive-wrap">

				
				<div class="title-block-wrap">
					<h5 class="title-block">
						Vous aimerez aussi					</h5>
				</div>

				<div class="archive-main archive-list  archive-heading-small archive-borders-enabled archive-shadow-enabled archive-scale-enabled">

					
<article class="entry-without-preview post-1652 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/hong-kong-security-advisory-discourse-plugin-leakcve202511983/" rel="bookmark">Hong Kong Security Advisory Discourse Plugin Leak(CVE202511983)</a></h2><ul class="post-meta"><li class="meta-date">novembre 3, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress WP Discourse plugin &lt;= 2.5.9 - Authenticated (Author+) Information Exposure vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-3195 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/hong-kong-security-alert-privilege-escalationcve202627541/" rel="bookmark">Hong Kong Security Alert Privilege Escalation(CVE202627541)</a></h2><ul class="post-meta"><li class="meta-date">février 22, 2026</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							Privilege Escalation in WordPress Wholesale Suite Plugin						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-1047 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/alert-nexter-blocks-stored-cross-site-scriptingcve20258567/" rel="bookmark">Alert Nexter Blocks Stored Cross Site Scripting(CVE20258567)</a></h2><ul class="post-meta"><li class="meta-date">août 18, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress Nexter Blocks plugin &lt;= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-765 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/hk-security-alerts-wordpress-php-object-injectioncve202554007/" rel="bookmark">HK Security Alerts WordPress PHP Object Injection(CVE202554007)</a></h2><ul class="post-meta"><li class="meta-date">août 8, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress Post Grid and Gutenberg Blocks Plugin &lt;= 2.3.11 - PHP Object Injection Vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-2204 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/hong-kong-advisory-csrf-risks-in-wpblogsyncve202514389/" rel="bookmark">Hong Kong Advisory CSRF Risks in WPBlogSyn(CVE202514389)</a></h2><ul class="post-meta"><li class="meta-date">janvier 13, 2026</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							Cross Site Request Forgery (CSRF) in WordPress WPBlogSyn Plugin						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-3639 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/fr/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/fr/vulnerability-database/protecting-wordpress-media-from-csrf-threatscve20264068/" rel="bookmark">Protecting WordPress Media From CSRF Threats(CVE20264068)</a></h2><ul class="post-meta"><li class="meta-date">mars 21, 2026</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							Cross Site Request Forgery (CSRF) in WordPress Add Custom Fields to Media Plugin						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>
				</div>

			</div>

		</section>
	
	
	
			
			
		</main>

		
	</div><!-- .content-area -->


						
					</div><!-- .main-content -->

					
				</div><!-- .cs-container -->

				
			</div><!-- .site-content -->

			
			
			<footer id="colophon" class="site-footer">
									<div class="footer-subscribe">
						<div class="cs-container">
							<div class="subscribe-wrap">
															</div>
						</div>
					</div>
					
				
				<div class="footer-info">

					<div class="cs-container">

						<div class="site-info">

							<div class="footer-col-info">
																	<span class="site-title footer-title" href="https://wp-security.org/fr/" rel="home">
										
										<img src="https://wp-security.org/wp-content/uploads/2025/08/WP-Security-logo-1-e1754494371106.png"  alt="WP Security" >									</span>
																										<div class="footer-copyright">
										© 2025 WP-Security.org Disclaimer: WP-Security.org is an independent, non-profit NGO community committed to sharing WordPress security news and information. We are not affiliated with WordPress, its parent company, or any related entities. All trademarks are the property of their respective owners.									</div>
																</div>

							
							
						</div>

					</div>

				</div>

			</footer>

			
		</div>

	</div><!-- .site-inner -->

	
</div><!-- .site -->


<template id="tp-language" data-tp-language="fr_FR"></template><script type="speculationrules">
{"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/fr/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/squaretype/*","/fr/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]}
</script>
			<a href="#top" class="pk-scroll-to-top">
				<i class="pk-icon pk-icon-up"></i>
			</a>
					<div class="pk-mobile-share-overlay">
							</div>
			
			<script type="text/javascript">
				var _paq = _paq || [];
					_paq.push(['setCustomDimension', 1, '{"ID":3,"name":"WP Security Vulnerability Report","avatar":"f7de7e299d4a4b4c92c6f2c2a29a7ca7"}']);
				_paq.push(['trackPageView']);
								(function () {
					var u = "https://analytics2.wpmudev.com/";
					_paq.push(['setTrackerUrl', u + 'track/']);
					_paq.push(['setSiteId', '24942']);
					var d   = document, g = d.createElement('script'), s = d.getElementsByTagName('script')[0];
					g.type  = 'text/javascript';
					g.async = true;
					g.defer = true;
					g.src   = 'https://analytics.wpmucdn.com/matomo.js';
					s.parentNode.insertBefore(g, s);
				})();
			</script>
			<script id='kirki-viewport-lists'>var kirkiViewports = {"md":{"value":1200,"scale":1,"minWidth":1200,"maxWidth":1200,"title":"Desktop","icon":"desktop","activeIcon":"desktop-hover","id":"md","type":"max"},"tablet":{"value":991,"scale":1,"minWidth":991,"maxWidth":991,"title":"Tablet","icon":"tablet-default","activeIcon":"tablet-hover","type":"max","id":"tablet"},"mobileLandscape":{"value":767,"scale":1,"minWidth":767,"maxWidth":767,"title":"Landscape","icon":"phone-hr-default","activeIcon":"phone-hr-hover","type":"max","id":"mobileLandscape"},"mobile":{"value":575,"scale":1,"minWidth":575,"maxWidth":575,"title":"Mobile","icon":"phone-vr-default","activeIcon":"phone-vr-hover","type":"max","id":"mobile"}};</script><script id='kirki-variable-lists'>var kirkiCSSVariable = {"data":[{"title":"Colors","key":"color","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Numbers","key":"size","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Font Family","key":"font-family","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Text Styles","key":"text-style","modes":[{"title":"Default","key":"default"}],"variables":[]}]};</script><script id="kirki-api-and-nonce">
    window.wp_kirki = {
        ajaxUrl: "https://wp-security.org/wp-admin/admin-ajax.php",
        restUrl: "https://wp-security.org/fr/wp-json/",
        siteUrl: "https://wp-security.org",
        apiVersion: "v1",
        postId: "3543",
        nonce: "72270e053a",
        call_from: "",
        templateId: "",
        context: {"id":3543,"type":"post"}
    };
    </script><script type="importmap" id="wp-importmap">
{"imports":{"@wordpress/interactivity":"https://wp-security.org/wp-includes/js/dist/script-modules/interactivity/index.min.js?ver=66c613f68580994bb00a","@surecart/checkout":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout/index.js?ver=3bbe28b8db1e11147c67","@surecart/checkout-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout-events/index.js?ver=ed9647bd6c7865efe2ad","@surecart/checkout-service":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout-actions/index.js?ver=e445a0ee0396d75d52c0","@surecart/google-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/google/index.js?ver=d92e383a18bcf54ea538","@surecart/facebook-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/facebook/index.js?ver=cf5c6499cb7b867894c1","@wordpress/a11y":"https://wp-security.org/wp-includes/js/dist/script-modules/a11y/index.min.js?ver=b7d06936b8bc23cff2ad","@surecart/api-fetch":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/fetch/index.js?ver=1bfba8ea0694a193022a"}}
</script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/line-item-note/index.js?ver=af6cf14267b5a9ad219f" id="@surecart/line-item-note-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout/index.js?ver=3bbe28b8db1e11147c67" id="@surecart/checkout-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/cart/index.js?ver=c2f35b71b4309df849fe" id="@surecart/cart-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/order-bumps/index.js?ver=c639def39210a6244eb2" id="@surecart/order-bumps-js-module"></script>
<script type="application/json" id="wp-script-module-data-@wordpress/interactivity">
{"state":{"surecart/order-bumps":{"currentPage":1,"perPage":3},"surecart/checkout":{"checkout":{"line_items":{"data":[]}},"discountIsRedeemable":false,"isDiscountApplied":false,"hasDiscountAmount":false,"hasSubtotalScratchAmount":false,"itemsCount":0,"hasItems":false}}}
</script>
		<div id="fb-root"></div>
		<script async defer crossorigin="anonymous" src="https://connect.facebook.net/fr_FR/sdk.js#xfbml=1&version=v17.0&appId=&autoLogAppEvents=1" nonce="Ci8te34e"></script>
					<script>
					window.scFetchData =
					{"root_url":"https:\/\/wp-security.org\/fr\/wp-json\/","nonce":"72270e053a","nonce_endpoint":"https:\/\/wp-security.org\/wp-admin\/admin-ajax.php?action=sc-rest-nonce"}				</script>
				<!-- Render the cart. --> <div data-wp-context='{"formId":131,"mode":"live"}' data-wp-interactive='{ "namespace": "surecart/checkout" }' data-wp-init="callbacks.init" data-wp-watch="callbacks.onChangeCheckout" data-wp-on-window--storage="callbacks.syncTabs" class="sc-cart-wrapper is-layout-flow wp-container-surecart-slide-out-cart-is-layout-d6743c7d wp-block-surecart-slide-out-cart-is-layout-flow" > <div style="width: 525px; font-size:15px;" class="sc-drawer sc-cart-drawer wp-block-surecart-slide-out-cart" role="dialog" data-wp-bind--aria-label="surecart/cart::state.ariaLabel" data-wp-class--open="surecart/cart::state.open" data-wp-on--keydown="surecart/cart::actions.handleKeydown" > <!-- Cart alert --> <div class="sc-alert sc-alert__alert--danger" role="alert" aria-live="assertive" aria-atomic="true" data-wp-bind--hidden="!state.error" hidden> <div class="sc-alert__icon"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <circle cx="12" cy="12" r="10" /> <line x1="12" y1="8" x2="12" y2="12" /> <line x1="12" y1="16" x2="12.01" y2="16" /> </svg> </div> <div class="sc-alert__text"> <div class="sc-alert__title"> <span data-wp-text="state.errorTitle"></span> </div> <div class="sc-alert__message"> <div data-wp-text="state.errorMessage"></div> <template data-wp-each--message="state.additionalErrors"> <div> <span data-wp-text="context.message"></span> </div> </template> </div> </div> </div> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-09de181c wp-block-group-is-layout-flex" style="padding-top:1.5em;padding-right:2em;padding-bottom:0em;padding-left:2em"> <div style="line-height:1;" class="wp-block-surecart-cart-close-button" data-wp-on--click="surecart/cart::actions.toggle" data-wp-on--keypress="surecart/cart::actions.toggle" role="button" tabindex="0" aria-label="Fermer le panier" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="5" y1="12" x2="19" y2="12" /> <polyline points="12 5 19 12 12 19" /> </svg> </div> <p style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;font-size:16px;font-style:normal;font-weight:500;line-height:1"> Vérifiez ma commande</p> <span style="font-size:14px;font-weight:600;line-height:1; border-radius:4px; padding-top:6px;padding-bottom:6px;padding-left:10px;padding-right:10px;" class="wp-block-surecart-cart-count" data-wp-text="state.itemsCount">0</span> </div> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div style="padding-top:2em;padding-bottom:2em;padding-left:2em;padding-right:2em;" class="wp-block-surecart-slide-out-cart-line-items is-layout-flow wp-container-surecart-slide-out-cart-line-items-is-layout-546f3c6d wp-block-surecart-slide-out-cart-line-items-is-layout-flow" role="list"> <template data-wp-each--line_item="state.checkoutLineItems" data-wp-each-key="context.line_item.id" > <div class="sc-product-line-item" data-wp-class--sc-product-line-item--has-swap="state.swap" role="listitem" data-wp-bind--aria-label="state.lineItemAriaLabel"> <div class="sc-product-line-item__content"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div class="wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-bd3f9bef wp-block-group-is-layout-flex"> <figure class="sc-cart-line-item-image-wrap wp-container-content-962be591 wp-duotone-unset-1" data-wp-bind--hidden="!context.line_item.image.src"> <img style="aspect-ratio:1;border-radius:4px;border-width:1px;margin-top:0;margin-bottom:0; margin-top:0;margin-bottom:0;" class="sc-is-covered wp-block-surecart-cart-line-item-image" data-wp-bind--alt="context.line_item.image.alt" data-wp-bind--srcset="context.line_item.image.srcset" data-wp-bind--sizes="context.line_item.image.sizes" data-wp-bind--src="context.line_item.image.src" loading="lazy" /> </figure> <div class="wp-block-group wp-container-content-9cfa9a5a is-vertical is-content-justification-stretch is-nowrap is-layout-flex wp-container-core-group-is-layout-a46423eb wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-eb80f53d wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <a style="font-style:normal;font-weight:500;line-height:1.4;text-decoration:none;" class="wp-block-surecart-cart-line-item-title" data-wp-bind--href="state.lineItemPermalink"> <span data-wp-text="context.line_item.price.product.name"></span> </a> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-price-name" data-wp-text="state.lineItemPriceName" data-wp-bind--hidden="!state.lineItemPriceName"></div> <div style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-variant" data-wp-text="state.lineItemVariant" data-wp-bind--hidden="!state.lineItemVariant"></div> <div data-wp-interactive='{ "namespace": "surecart/line-item-note" }' style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-note" data-wp-context='{}' data-wp-run="callbacks.init" data-wp-class--line-item-note--is-expanded="context.noteExpanded" data-wp-class--line-item-note--is-collapsible="context.showToggle" data-wp-bind--hidden="surecart/checkout::!state.lineItemNote" data-wp-on--click="actions.toggleNoteExpanded" data-wp-on--keydown="actions.toggleNoteExpanded" data-wp-bind--role="button" data-wp-bind--disabled="!context.showToggle" data-wp-bind--aria-expanded="context.noteExpanded" data-wp-bind--aria-label="Toggle note visibility" tabindex="0" > <div class="line-item-note__text" data-wp-text="surecart/checkout::state.lineItemNote" ></div> <span class="sc-icon" data-wp-class--sc-icon--rotated="context.noteExpanded" > <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="6 9 12 15 18 9" /> </svg> </span> </div> </div></div> <div class="sc-product-line-item__purchasable-status wp-block-surecart-cart-line-item-status has-text-align-right" data-wp-text="context.line_item.purchasable_status_display" data-wp-bind--hidden="!context.line_item.purchasable_status_display" role="status" aria-live="polite" aria-atomic="true" >&nbsp;</div> </div></div> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div class="wp-block-group is-content-justification-right is-nowrap is-layout-flex wp-container-core-group-is-layout-f8a47911 wp-block-group-is-layout-flex" style="line-height:1.4"> <div class="wp-block-surecart-cart-line-item-scratch-amount" data-wp-text="context.line_item.scratch_display_amount" data-wp-bind--hidden="!state.lineItemHasScratchAmount" ></div> <div style="font-style:normal;font-weight:500;" class="wp-block-surecart-cart-line-item-amount has-text-align-right" data-wp-text="context.line_item.subtotal_display_amount"></div> <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-interval" data-wp-bind--hidden="!context.line_item.price.short_interval_text"> <span class="wp-block-surecart-cart-line-item-interval__interval" data-wp-bind--hidden="!context.line_item.price.short_interval_text" data-wp-text="context.line_item.price.short_interval_text" ></span> <span class="wp-block-surecart-cart-line-item-interval__count" data-wp-bind--hidden="!context.line_item.price.short_interval_count_text" data-wp-text="context.line_item.price.short_interval_count_text" ></span> </div> </div> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-trial has-text-align-right" data-wp-bind--hidden="!context.line_item.price.trial_text" data-wp-text="context.line_item.price.trial_text" ></div> <template data-wp-each--fee="state.lineItemFees" data-wp-each-key="context.fee.id" > <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right"> <span style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right" data-wp-text="context.fee.display_amount" ></span> <span style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right" data-wp-text="context.fee.description" ></span> </div> </template> </div></div> </div></div> </div> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-c0dd7891 wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"><div class="sc-input-group sc-input-group-sm sc-quantity-selector wp-block-surecart-cart-line-item-quantity" data-wp-class--quantity--disabled="state.isQuantityDisabled" data-wp-bind--hidden="!state.isEditable" hidden="1"> <div class="sc-input-group-text sc-quantity-selector__decrease" role="button" tabindex="0" data-wp-on--click="surecart/checkout::actions.onQuantityDecrease" data-wp-on--keydown="surecart/checkout::actions.onQuantityDecrease" data-wp-bind--disabled="state.isQuantityDecreaseDisabled" data-wp-bind--aria-disabled="state.isQuantityDecreaseDisabled" data-wp-class--button--disabled="state.isQuantityDecreaseDisabled" data-wp-bind--aria-label="surecart/checkout::state.decreaseQuantityAriaLabel" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </div> <input type="number" class="sc-form-control sc-quantity-selector__control" data-wp-bind--value="context.line_item.quantity" data-wp-on--change="surecart/checkout::actions.onQuantityChange" data-wp-bind--min="context.line_item.min" data-wp-bind--aria-valuemin="context.line_item.min" data-wp-bind--max="context.line_item.max" data-wp-bind--aria-valuemax="context.line_item.max" data-wp-bind--aria-valuenow="context.line_item.quantity" data-wp-bind--disabled="surecart/checkout::state.loading" data-wp-bind--aria-label="surecart/checkout::state.quantityInputAriaLabel" step="1" autocomplete="off" role="spinbutton" /> <div class="sc-input-group-text sc-quantity-selector__increase" role="button" tabindex="0" data-wp-on--click="surecart/checkout::actions.onQuantityIncrease" data-wp-on--keydown="surecart/checkout::actions.onQuantityIncrease" data-wp-bind--disabled="state.isQuantityIncreaseDisabled" data-wp-bind--aria-disabled="state.isQuantityIncreaseDisabled" data-wp-class--button--disabled="state.isQuantityIncreaseDisabled" data-wp-bind--aria-label="surecart/checkout::state.increaseQuantityAriaLabel" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="12" y1="5" x2="12" y2="19" /> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </div> </div> </div></div> <div class="wp-block-group is-vertical is-content-justification-right is-layout-flex wp-container-core-group-is-layout-4269a6fd wp-block-group-is-layout-flex"> <div style="font-size:14px;font-style:normal;font-weight:400;" class="wp-block-surecart-cart-line-item-remove" data-wp-bind--aria-label="surecart/checkout::state.removeItemAriaLabel" data-wp-on--click="surecart/checkout::actions.removeLineItem" data-wp-on--keydown="surecart/checkout::actions.removeLineItem" role="button" tabindex="0" > <svg class="wp-block-surecart-cart-line-item-remove__icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="18" y1="6" x2="6" y2="18" /> <line x1="6" y1="6" x2="18" y2="18" /> </svg> <span class="wp-block-surecart-cart-line-item-remove__label"> Retirer </span> </div> </div> </div> </div> </div> </div></div> </div> <div class="sc-product-line-item__swap" data-wp-bind--hidden="!state.swap" hidden data-wp-on--click="actions.toggleSwap"> <div class="sc-product-line-item__swap-content"> <button type="button" class="sc-toggle" role="switch" aria-checked="false" data-wp-bind--aria-checked="context.line_item.swap" data-wp-class--sc-toggle--checked="context.line_item.swap"> <span class="sc-toggle__label">Utiliser le paramètre</span> <span aria-hidden="true" class="sc-toggle__knob"></span> </button> <span data-wp-text="state.swap.description"></span> </div> <div class="sc-product-line-item__swap-amount"> <span data-wp-text="state.swapDisplayAmount" class="sc-product-line-item__swap-amount-value"></span> <span data-wp-text="state.swapIntervalText" class="sc-product-line-item__swap-amount-interval"></span> <span data-wp-text="state.swapIntervalCountText" class="sc-product-line-item__swap-amount-interval-count"></span> </div> </div> </div> </template> </div> </div></div> <div class="wp-block-group" style="border-top-color:#b0b0b069;border-top-width:1px;padding-top:0em;padding-right:0em;padding-bottom:0em;padding-left:0em"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div style="border-bottom-width:1px;border-bottom-color:#b0b0b069; padding-top:1.5em;padding-bottom:1.5em;padding-left:2em;padding-right:2em;" class="wp-block-surecart-cart-order-bumps" data-wp-context='{"hideAddedItems":true}' data-wp-interactive='{ "namespace": "surecart/order-bumps" }' data-wp-init="callbacks.init" data-wp-bind--hidden="!state.hasOrderBumps" hidden> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-1ceffb7a wp-block-group-is-layout-flex" style="margin-bottom:0.75em"> <p style="margin-top:0;margin-bottom:0;font-style:normal;font-weight:500">Suggéré pour vous</p> <nav class="wp-block-surecart-cart-order-bump-pagination is-layout-flex wp-container-surecart-cart-order-bump-pagination-is-layout-d04bdab2 wp-block-surecart-cart-order-bump-pagination-is-layout-flex" data-wp-bind--hidden="!state.showPagination" aria-label="Pagination des augmentations de commande" hidden> <div aria-disabled="true" disabled class="has-arrow-type-chevron wp-block-surecart-cart-order-bump-pagination-previous" data-wp-on--click="surecart/order-bumps::actions.previousPage" data-wp-on--keydown="surecart/order-bumps::actions.handlePreviousKeydown" data-wp-bind--disabled="!state.hasPreviousPage" data-wp-bind--aria-disabled="!state.hasPreviousPage" aria-label="Page précédente" role="button" tabindex="0" > <svg aria-hidden="true" class="wp-block-surecart-cart-order-bump-pagination-previous__icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="15 18 9 12 15 6" /> </svg> </div> <div aria-disabled="true" disabled class="has-arrow-type-chevron wp-block-surecart-cart-order-bump-pagination-next" data-wp-on--click="surecart/order-bumps::actions.nextPage" data-wp-on--keydown="surecart/order-bumps::actions.handleNextKeydown" data-wp-bind--disabled="!state.hasNextPage" data-wp-bind--aria-disabled="!state.hasNextPage" aria-label="Page suivante" role="button" tabindex="0" > <svg aria-hidden="true" class="wp-block-surecart-cart-order-bump-pagination-next__icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="9 18 15 12 9 6" /> </svg> </div> </nav> </div> <ul class="wp-block-surecart-cart-order-bump-template is-layout-flex wp-container-surecart-cart-order-bump-template-is-layout-242c3b10 wp-block-surecart-cart-order-bump-template-is-layout-flex" role="list" data-wp-class--has-overflow="state.hasMultipleBumps" data-wp-on--scrollend="callbacks.onCarouselScroll" data-wp-on--keydown="actions.handleCarouselKeydown" tabindex="0" data-wp-bind--aria-label="state.orderBumpsListAriaLabel" > <template data-wp-each--bump="state.orderBumps" data-wp-each-key="context.bump.id" > <li class="sc-cart-order-bump-item" role="listitem"> <div class="wp-block-group has-border-color wp-container-content-9cfa9a5a is-nowrap is-layout-flex wp-container-core-group-is-layout-811b0336 wp-block-group-is-layout-flex" style="border-color:#e0e0e0;border-width:1px;border-radius:12px;padding-top:0.75em;padding-right:1em;padding-bottom:0.75em;padding-left:0.75em"> <figure class="sc-cart-order-bump-image-wrap wp-container-content-d0d0a6b5" data-wp-bind--hidden="!context.bump.price.product.line_item_image.src"> <img style="aspect-ratio:1;width:72px;border-radius:8px;" class="sc-is-covered wp-block-surecart-cart-order-bump-image" data-wp-bind--alt="context.bump.price.product.name" data-wp-bind--src="context.bump.price.product.line_item_image.src" loading="lazy" /> </figure> <div class="wp-block-group wp-container-content-9cfa9a5a is-vertical is-layout-flex wp-container-core-group-is-layout-42e9c677 wp-block-group-is-layout-flex"> <span style="font-size:15px;font-weight:600;line-height:1.3;" class="wp-block-surecart-cart-order-bump-title" data-wp-text="context.bump.name" ></span> <div style="color:#6b7280; font-size:13px;line-height:1.3;" class="wp-block-surecart-cart-order-bump-description has-text-color" data-wp-bind--hidden="!context.bump.metadata.description" data-wp-text="context.bump.metadata.description" hidden></div> <div class="wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-89a94f6a wp-block-group-is-layout-flex"> <div style="font-size:14px;" class="wp-block-surecart-cart-order-bump-scratch-amount" data-wp-text="context.bump.subtotal_display_amount" data-wp-bind--hidden="!state.bumpHasDiscount" ></div> <div style="font-size:14px;font-weight:500;" class="wp-block-surecart-cart-order-bump-amount" data-wp-text="context.bump.total_display_amount"></div> </div> </div> <div style="font-size:18px;font-weight:400; border-color:#d1d5db;border-top-left-radius:74.6%;border-top-right-radius:74.6%;border-bottom-left-radius:74.6%;border-bottom-right-radius:74.6%;border-width:1px; padding-top:0.5em;padding-bottom:0.5em;padding-left:0.5em;padding-right:0.5em;" class="sc-cart-order-bump-add-button wp-block-surecart-cart-order-bump-add-button has-border-color" role="button" tabindex="0" data-wp-on--click="surecart/order-bumps::actions.addBumpToCart" data-wp-on--keydown="surecart/order-bumps::actions.handleAddButtonKeydown" data-wp-bind--disabled="state.isBumpInCart" data-wp-bind--aria-disabled="state.isBumpInCart" data-wp-class--sc-cart-order-bump-add-button--added="state.isBumpInCart" data-wp-bind--aria-label="state.addButtonAriaLabel" aria-label="Ajouter au panier" > <span class="sc-cart-order-bump-add-button__icon" aria-hidden="true" data-wp-bind--hidden="state.isBumpInCart"> <svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="12" y1="5" x2="12" y2="19" /> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </span> <span class="sc-cart-order-bump-add-button__icon" aria-hidden="true" data-wp-bind--hidden="!state.isBumpInCart" hidden> <svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="20 6 9 17 4 12" /> </svg> </span> </div> </div> </li> </template> </ul> </div> <div class="wp-block-group" style="margin-top:0;margin-bottom:0;padding-top:2em;padding-right:2em;padding-bottom:2em;padding-left:2em"><div class="wp-block-group__inner-container is-layout-constrained wp-container-core-group-is-layout-a63a6252 wp-block-group-is-layout-constrained"> <div class="wp-block-surecart-slide-out-cart-items-subtotal is-content-justification-space-between is-nowrap is-layout-flex wp-container-surecart-slide-out-cart-items-subtotal-is-layout-7351673c wp-block-surecart-slide-out-cart-items-subtotal-is-layout-flex"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <p style="margin-top:0px;margin-bottom:0px;font-size:18px;font-style:normal;font-weight:500;line-height:1.4"> Sous-total</p> <p class="has-text-color has-link-color wp-elements-3ccbd622ec95a2fb9ce4984e15710a06" style="color:var(--sc-input-help-text-color);font-size:14px;line-height:1.4">Taxes et frais de port calculés à la caisse</p> </div></div> <div class="wp-block-group is-content-justification-right is-nowrap is-layout-flex wp-container-core-group-is-layout-f8a47911 wp-block-group-is-layout-flex"><span style="font-size:18px;line-height:1.4;" class="wp-block-surecart-cart-subtotal-scratch-amount" data-wp-text="state.checkout.subtotal_scratch_display_amount" data-wp-bind--hidden="!state.hasSubtotalScratchAmount" data-wp-bind--aria-label="state.subtotalScratchAriaLabel" hidden></span> <span style="font-size:18px;font-style:normal;font-weight:500;line-height:1.4;" class="wp-block-surecart-cart-subtotal-amount" data-wp-text="state.checkout.subtotal_display_amount"></span> </div> </div> <div class="sc-cart-items-submit__wrapper" style="" > <div class="wp-block-button"> <a style="border-radius:4px;" class="wp-block-button__link wp-element-button sc-button__link wp-block-surecart-slide-out-cart-items-submit" href="https://wp-security.org/fr/checkout/" data-wp-bind--disabled="state.loading" data-wp-class--sc-button__link--busy="state.loading" > <span class="sc-spinner" aria-hidden="false"></span> <span class="sc-button__link-text">Passer à la caisse</span> </a> </div> </div> </div></div> </div></div> <div class="sc-block-ui" data-wp-bind--hidden="!state.loading" hidden></div> </div> <!-- backdrop --> <div class="sc-drawer__backdrop" data-wp-on--mousedown="surecart/cart::actions.closeOverlay" data-wp-on--touchstart="surecart/cart::actions.closeOverlay" data-wp-class--show="surecart/cart::state.open" data-wp-on--keydown="surecart/cart::actions.handleKeydown"></div> </div> <!-- Render floating cart icon --> <div data-wp-interactive='{ "namespace": "surecart/checkout" }' class="wp-block-surecart-cart-icon" data-wp-context='{"formId":131,"mode":"live"}' data-wp-on--click="surecart/cart::actions.toggle" data-wp-on--keydown="surecart/cart::actions.toggle" tabindex="0" role="button" data-wp-bind--hidden="!state.hasItems" hidden> <div class="wp-block-surecart-cart-icon__container"> <div class="wp-block-surecart-cart-icon__icon" aria-label="Bouton du panier."> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <path d="M6 2L3 6v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2V6l-3-4z" /> <line x1="3" y1="6" x2="21" y2="6" /> <path d="M16 10a4 4 0 0 1-8 0" /> </svg> </div> <span class="wp-block-surecart-cart-icon__count" data-wp-text="state.itemsCount" data-wp-bind--aria-label="state.itemsCountAriaLabel" >0</span> </div> </div><script src="https://wp-security.org/wp-includes/js/dist/url.min.js?ver=9e178c9516d1222dc834" id="wp-url-js"></script>
<script src="https://wp-security.org/wp-includes/js/dist/hooks.min.js?ver=dd5603f07f9220ed27f1" id="wp-hooks-js"></script>
<script src="https://wp-security.org/wp-includes/js/dist/i18n.min.js?ver=c26c3dc7bed366793375" id="wp-i18n-js"></script>
<script id="wp-i18n-js-after">
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
//# sourceURL=wp-i18n-js-after
</script>
<script id="wp-api-fetch-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "default", {"translation-revision-date":"2026-04-20 08:59:17+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=2; plural=n > 1;","lang":"fr"},"The response is not a valid JSON response.":["La r\u00e9ponse n\u2019est pas une r\u00e9ponse JSON valide."],"Media upload failed. If this is a photo or a large image, please scale it down and try again.":["Le t\u00e9l\u00e9versement du m\u00e9dia a \u00e9chou\u00e9. S\u2019il s\u2019agit d\u2019une photo ou d\u2019une grande image, veuillez la redimensionner puis r\u00e9essayer."],"Unable to connect. Please check your Internet connection.":["Impossible de se connecter. Veuillez v\u00e9rifier votre connexion Internet."],"Could not get a valid response from the server.":["Impossible d\u2019obtenir du serveur une r\u00e9ponse valide."]}},"comment":{"reference":"wp-includes\/js\/dist\/api-fetch.js"}} );
//# sourceURL=wp-api-fetch-js-translations
</script>
<script src="https://wp-security.org/wp-includes/js/dist/api-fetch.min.js?ver=3a4d9af2b423048b0dee" id="wp-api-fetch-js"></script>
<script id="wp-api-fetch-js-after">
wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "https://wp-security.org/fr/wp-json/" ) );
wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "72270e053a" );
wp.apiFetch.use( wp.apiFetch.nonceMiddleware );
wp.apiFetch.use( wp.apiFetch.mediaUploadMiddleware );
wp.apiFetch.nonceEndpoint = "https://wp-security.org/wp-admin/admin-ajax.php?action=rest-nonce";
//# sourceURL=wp-api-fetch-js-after
</script>
<script src="https://wp-security.org/wp-includes/js/dist/dom-ready.min.js?ver=f77871ff7694fffea381" id="wp-dom-ready-js"></script>
<script id="wp-a11y-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "default", {"translation-revision-date":"2026-04-20 08:59:17+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=2; plural=n > 1;","lang":"fr"},"Notifications":["Notifications"]}},"comment":{"reference":"wp-includes\/js\/dist\/a11y.js"}} );
//# sourceURL=wp-a11y-js-translations
</script>
<script src="https://wp-security.org/wp-includes/js/dist/a11y.min.js?ver=cb460b4676c94bd228ed" id="wp-a11y-js"></script>
<script id="trp-dynamic-translator-js-extra">
var trp_data = {"trp_custom_ajax_url":"https://wp-security.org/wp-content/plugins/translatepress-multilingual/includes/trp-ajax.php","trp_wp_ajax_url":"https://wp-security.org/wp-admin/admin-ajax.php","trp_language_to_query":"fr_FR","trp_original_language":"en_US","trp_current_language":"fr_FR","trp_skip_selectors":["[data-no-translation]","[data-no-dynamic-translation]","[data-trp-translate-id-innertext]","script","style","head","trp-span","translate-press","[data-trp-translate-id]","[data-trpgettextoriginal]","[data-trp-post-slug]"],"trp_base_selectors":["data-trp-translate-id","data-trpgettextoriginal","data-trp-post-slug"],"trp_attributes_selectors":{"text":{"accessor":"outertext","attribute":false},"block":{"accessor":"innertext","attribute":false},"image_src":{"selector":"img[src]","accessor":"src","attribute":true},"submit":{"selector":"input[type='submit'],input[type='button'], input[type='reset']","accessor":"value","attribute":true},"placeholder":{"selector":"input[placeholder],textarea[placeholder]","accessor":"placeholder","attribute":true},"title":{"selector":"[title]","accessor":"title","attribute":true},"a_href":{"selector":"a[href]","accessor":"href","attribute":true},"button":{"accessor":"outertext","attribute":false},"option":{"accessor":"innertext","attribute":false},"aria_label":{"selector":"[aria-label]","accessor":"aria-label","attribute":true},"video_src":{"selector":"video[src]","accessor":"src","attribute":true},"video_poster":{"selector":"video[poster]","accessor":"poster","attribute":true},"video_source_src":{"selector":"video source[src]","accessor":"src","attribute":true},"audio_src":{"selector":"audio[src]","accessor":"src","attribute":true},"audio_source_src":{"selector":"audio source[src]","accessor":"src","attribute":true},"picture_image_src":{"selector":"picture image[src]","accessor":"src","attribute":true},"picture_source_srcset":{"selector":"picture source[srcset]","accessor":"srcset","attribute":true}},"trp_attributes_accessors":["outertext","innertext","src","value","placeholder","title","href","aria-label","poster","srcset"],"gettranslationsnonceregular":"b3ba52ef04","showdynamiccontentbeforetranslation":"","skip_strings_from_dynamic_translation":[],"skip_strings_from_dynamic_translation_for_substrings":{"href":["amazon-adsystem","googleads","g.doubleclick"]},"duplicate_detections_allowed":"100","trp_translate_numerals_opt":"no","trp_no_auto_translation_selectors":["[data-no-auto-translation]"]};
//# sourceURL=trp-dynamic-translator-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/translatepress-multilingual/assets/js/trp-translate-dom-changes.js?ver=3.1.8" id="trp-dynamic-translator-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/assets/js/_scripts.js?ver=3.0.7" id="powerkit-js"></script>
<script src="https://wp-security.org/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.5" id="swv-js"></script>
<script id="contact-form-7-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "contact-form-7", {"translation-revision-date":"2025-02-06 12:02:14+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=2; plural=n > 1;","lang":"fr"},"This contact form is placed in the wrong place.":["Ce formulaire de contact est plac\u00e9 dans un mauvais endroit."],"Error:":["Erreur\u00a0:"]}},"comment":{"reference":"includes\/js\/index.js"}} );
//# sourceURL=contact-form-7-js-translations
</script>
<script id="contact-form-7-js-before">
var wpcf7 = {
    "api": {
        "root": "https:\/\/wp-security.org\/fr\/wp-json\/",
        "namespace": "contact-form-7\/v1"
    },
    "cached": 1
};
//# sourceURL=contact-form-7-js-before
</script>
<script src="https://wp-security.org/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.5" id="contact-form-7-js"></script>
<script id="disqus_count-js-extra">
var countVars = {"disqusShortname":"wp-security-org"};
//# sourceURL=disqus_count-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/disqus-comment-system/public/js/comment_count.js?ver=3.1.4" id="disqus_count-js"></script>
<script id="disqus_embed-js-extra">
var embedVars = {"disqusConfig":{"integration":"wordpress 3.1.4 6.9.4"},"disqusIdentifier":"3543 https://wp-security.org/uncategorized/community-alert-xss-in-json-importercve202515363/","disqusShortname":"wp-security-org","disqusTitle":"Community Alert XSS in JSON Importer(CVE202515363)","disqusUrl":"https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/","postId":"3543"};
//# sourceURL=disqus_embed-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/disqus-comment-system/public/js/comment_embed.js?ver=3.1.4" id="disqus_embed-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/basic-elements/public/js/public-powerkit-basic-elements.js?ver=4.0.0" id="powerkit-basic-elements-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/justified-gallery/block/jquery.justifiedGallery.min.js?ver=2.5.2" id="justifiedgallery-js"></script>
<script id="powerkit-justified-gallery-js-extra">
var powerkitJG = {"rtl":""};
//# sourceURL=powerkit-justified-gallery-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/justified-gallery/public/js/public-powerkit-justified-gallery.js?ver=3.0.7" id="powerkit-justified-gallery-js"></script>
<script src="https://wp-security.org/wp-includes/js/imagesloaded.min.js?ver=5.0.0" id="imagesloaded-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/lightbox/public/js/glightbox.min.js?ver=3.0.7" id="glightbox-js"></script>
<script id="powerkit-lightbox-js-extra">
var powerkit_lightbox_localize = {"text_previous":"Previous","text_next":"Next","text_close":"Close","text_loading":"Loading","text_counter":"of","single_image_selectors":".entry-content img,.single .post-media img","gallery_selectors":".wp-block-gallery,.gallery","exclude_selectors":".sight-portfolio-area","zoom_icon":"1"};
//# sourceURL=powerkit-lightbox-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/lightbox/public/js/public-powerkit-lightbox.js?ver=3.0.7" id="powerkit-lightbox-js"></script>
<script id="powerkit-opt-in-forms-js-extra">
var opt_in = {"ajax_url":"https://wp-security.org/wp-admin/admin-ajax.php","warning_privacy":"Please confirm that you agree with our policies.","is_admin":"","server_error":"Server error occurred. Please try again later."};
//# sourceURL=powerkit-opt-in-forms-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/opt-in-forms/public/js/public-powerkit-opt-in-forms.js?ver=3.0.7" id="powerkit-opt-in-forms-js"></script>
<script async="async" defer="defer" src="//assets.pinterest.com/js/pinit.js?ver=6.9.4" id="powerkit-pinterest-js"></script>
<script id="powerkit-pin-it-js-extra">
var powerkit_pinit_localize = {"image_selectors":".entry-content img","exclude_selectors":".cnvs-block-row,.cnvs-block-section,.cnvs-block-posts .entry-thumbnail,.cnvs-post-thumbnail,.pk-block-author,.pk-featured-categories img,.pk-inline-posts-container img,.pk-instagram-image,.pk-subscribe-image,.wp-block-cover,.pk-block-posts,.sight-portfolio-entry-link-page","only_hover":"1"};
//# sourceURL=powerkit-pin-it-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/pinterest/public/js/public-powerkit-pin-it.js?ver=3.0.7" id="powerkit-pin-it-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/scroll-to-top/public/js/public-powerkit-scroll-to-top.js?ver=3.0.7" id="powerkit-scroll-to-top-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/share-buttons/public/js/public-powerkit-share-buttons.js?ver=3.0.7" id="powerkit-share-buttons-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/slider-gallery/block/flickity.pkgd.min.js?ver=2.5.2" id="flickity-js"></script>
<script id="powerkit-slider-gallery-js-extra">
var powerkit_sg_flickity = {"page_info_sep":" of "};
//# sourceURL=powerkit-slider-gallery-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/slider-gallery/public/js/public-powerkit-slider-gallery.js?ver=3.0.7" id="powerkit-slider-gallery-js"></script>
<script id="powerkit-table-of-contents-js-extra">
var powerkit_toc_config = {"label_show":"Show","label_hide":"Hide"};
//# sourceURL=powerkit-table-of-contents-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/table-of-contents/public/js/public-powerkit-table-of-contents.js?ver=3.0.7" id="powerkit-table-of-contents-js"></script>
<script src="https://wp-security.org/wp-content/plugins/sight/render/js/jquery.magnific-popup.min.js?ver=1774098503" id="magnific-popup-js"></script>
<script id="sight-block-script-js-extra">
var sight_lightbox_localize = {"text_previous":"Previous","text_next":"Next","text_close":"Close","text_loading":"Loading","text_counter":"of"};
//# sourceURL=sight-block-script-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/sight/render/js/sight.js?ver=1774098503" id="sight-block-script-js"></script>
<script src="https://wp-security.org/wp-content/plugins/kirki/assets/js/kirki.min.js?ver=6.0.3" id="kirki-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/posts/block-posts/colcade.js?ver=2.5.2" id="colcade-js"></script>
<script src="https://wp-security.org/wp-content/themes/squaretype/js/ofi.min.js?ver=3.2.3" id="object-fit-images-js"></script>
<script id="csco-scripts-js-extra">
var csco_mega_menu = {"rest_url":"https://wp-security.org/fr/wp-json/csco/v1/menu-posts","current_lang":"","current_locale":"fr_FR"};
//# sourceURL=csco-scripts-js-extra
</script>
<script src="https://wp-security.org/wp-content/themes/squaretype/js/scripts.js?ver=3.1.1" id="csco-scripts-js"></script>
<script src="https://wp-security.org/wp-includes/js/comment-reply.min.js?ver=6.9.4" id="comment-reply-js" async data-wp-strategy="async" fetchpriority="low"></script>
<script id="wp-emoji-settings" type="application/json">
{"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://wp-security.org/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4"}}
</script>
<script type="module">
/*! This file is auto-generated */
const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))});
//# sourceURL=https://wp-security.org/wp-includes/js/wp-emoji-loader.min.js
</script>
<div style="position:absolute;margin:-1px;padding:0;height:1px;width:1px;overflow:hidden;clip-path:inset(50%);border:0;word-wrap:normal !important;"><p id="a11y-speak-intro-text" class="a11y-speak-intro-text" hidden data-no-translation="" data-trp-gettext="">Notifications</p><div id="a11y-speak-assertive" class="a11y-speak-region" aria-live="assertive" aria-relevant="additions text" aria-atomic="true"></div><div id="a11y-speak-polite" class="a11y-speak-region" aria-live="polite" aria-relevant="additions text" aria-atomic="true"></div></div>
        <!-- Usermaven - privacy-friendly analytics tool -->
        <script type="text/javascript">
            (function () {
                window.usermaven = window.usermaven || (function () { (window.usermavenQ = window.usermavenQ || []).push(arguments); })
                var t = document.createElement('script'),
                    s = document.getElementsByTagName('script')[0];
                t.defer = true;
                t.id = 'um-tracker';
                t.setAttribute('data-tracking-host', 'https://u.wp-security.org');
                t.setAttribute('data-key', 'UMZaYew9Sp');
                t.setAttribute('data-autocapture', 'true');                                                t.setAttribute('data-randomize-url', 'true');
                t.src = 'https://u.wp-security.org/lib.js';
                s.parentNode.insertBefore(t, s);
            })();
        </script>
        <!-- / Usermaven -->


        
        
<nav
    class="trp-language-switcher trp-floating-switcher trp-ls-dropdown trp-switcher-position-bottom"
    style="--bg:#ffffffb2;--bg-hover:#0000000d;--text:#000000;--text-hover:#000000;--border:1px solid transparent;--border-radius:8px 8px 0px 0px;--flag-radius:2px;--flag-size:20px;--aspect-ratio:4/3;--font-size:16px;--switcher-width:auto;--switcher-padding:10px 0;--transition-duration:0.2s;--bottom:0px;--right:10vw"
    role="navigation"
    aria-label="Sélecteur de langue du site Web"
    data-no-translation
>
    
            <div class="trp-language-switcher-inner">
            <div class="trp-language-item trp-language-item__current" title="French" role="button" tabindex="0" aria-expanded="false" aria-label="Change language" aria-controls="trp-switcher-dropdown-list" data-no-translation><span class="trp-language-item-name">French</span></div>
            <div
                class="trp-switcher-dropdown-list"
                id="trp-switcher-dropdown-list"
                role="group"
                aria-label="Langues disponibles"
                hidden
 inert
>
                                    <a href="https://wp-security.org/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="English" data-no-translation><span class="trp-language-item-name">English</span></a>                                    <a href="https://wp-security.org/zh/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Chinese (Hong Kong)" data-no-translation><span class="trp-language-item-name">Chinese (Hong Kong)</span></a>                                    <a href="https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Chinese (China)" data-no-translation><span class="trp-language-item-name">Chinese (China)</span></a>                                    <a href="https://wp-security.org/es/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Spanish" data-no-translation><span class="trp-language-item-name">Spanish</span></a>                                    <a href="https://wp-security.org/hi/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Hindi" data-no-translation><span class="trp-language-item-name">Hindi</span></a>                            </div>
        </div>

    </nav>
	<script type="text/javascript">
		"use strict";

		(function($) {

			$( window ).on( 'load', function() {

				// Each All Share boxes.
				$( '.pk-share-buttons-mode-rest' ).each( function() {

					var powerkitButtonsIds = [],
						powerkitButtonsBox = $( this );

					// Check Counts.
					if ( ! powerkitButtonsBox.hasClass( 'pk-share-buttons-has-counts' ) && ! powerkitButtonsBox.hasClass( 'pk-share-buttons-has-total-counts' ) ) {
						return;
					}

					powerkitButtonsBox.find( '.pk-share-buttons-item' ).each( function() {
						if ( $( this ).attr( 'data-id' ).length > 0 ) {
							powerkitButtonsIds.push( $( this ).attr( 'data-id' ) );
						}
					});

					// Generate accounts data.
					var powerkitButtonsData = {};

					if( powerkitButtonsIds.length > 0 ) {
						powerkitButtonsData = {
							'ids'     : powerkitButtonsIds.join(),
							'post_id' : powerkitButtonsBox.attr( 'data-post-id' ),
							'url'     : powerkitButtonsBox.attr( 'data-share-url' ),
						};
					}

					// Get results by REST API.
					$.ajax({
						type: 'GET',
						url: 'https://wp-security.org/fr/wp-json/social-share/v1/get-shares',
						data: powerkitButtonsData,
						beforeSend: function(){

							// Add Loading Class.
							powerkitButtonsBox.addClass( 'pk-share-buttons-loading' );
						},
						success: function( response ) {

							if ( ! $.isEmptyObject( response ) && ! response.hasOwnProperty( 'code' ) ) {

								// Accounts loop.
								$.each( response, function( index, data ) {

									if ( index !== 'total_count' ) {

										// Find Bsa Item.
										var powerkitButtonsItem = powerkitButtonsBox.find( '.pk-share-buttons-item[data-id="' + index + '"]');

										// Set Count.
										if ( data.hasOwnProperty( 'count' ) && data.count  ) {

											powerkitButtonsItem.removeClass( 'pk-share-buttons-no-count' ).addClass( 'pk-share-buttons-item-count' );
											powerkitButtonsItem.find( '.pk-share-buttons-count' ).html( data.count );

										} else {
											powerkitButtonsItem.addClass( 'pk-share-buttons-no-count' );
										}
									}
								});

								if ( powerkitButtonsBox.hasClass( 'pk-share-buttons-has-total-counts' ) && response.hasOwnProperty( 'total_count' ) ) {
									var powerkitButtonsTotalBox = powerkitButtonsBox.find( '.pk-share-buttons-total' );

									if ( response.total_count ) {
										powerkitButtonsTotalBox.find( '.pk-share-buttons-count' ).html( response.total_count );
										powerkitButtonsTotalBox.show().removeClass( 'pk-share-buttons-total-no-count' );
									}
								}
							}

							// Remove Loading Class.
							powerkitButtonsBox.removeClass( 'pk-share-buttons-loading' );
						},
						error: function() {

							// Remove Loading Class.
							powerkitButtonsBox.removeClass( 'pk-share-buttons-loading' );
						}
					});
				});
			});

		})(jQuery);
	</script>
	</body>
</html>
<!--
Performance optimized by Redis Object Cache. Learn more: https://wprediscache.com

10820 objets récupérés (1 Mo) depuis Redis grâce à PhpRedis (v6.3.0).
-->

Alerte de la communauté XSS dans l'importateur JSON (CVE202515363)

JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

Résumé rapide (tl;dr)

Pourquoi le XSS stocké est important dans WordPress

Comment cette vulnérabilité spécifique fonctionne — niveau élevé

Scénarios d'exploitation réalistes

Liste de contrôle d'action immédiate — que faire maintenant (0–72 heures)

How to detect if you’ve been targeted / exploited