JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

插件名称	WordPress JSON 内容导入插件
漏洞类型	跨站脚本攻击（XSS）
CVE 编号	CVE-2025-15363
紧急程度	中等
CVE 发布日期	2026-03-19
来源网址	CVE-2025-15363

JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

发布日期：2026-03-19

作为总部位于香港的安全专业人士，拥有 WordPress 事件响应的实践经验，本文提供了对影响 JSON 内容导入插件版本 2.0.10 之前的 CVE‑2025‑15363（存储型 XSS）的技术分析。目标是务实的：解释机制、实际影响、检测技术、遏制步骤和长期加固措施，以降低风险，同时应用供应商补丁。.

快速总结（tl;dr）

在版本 2.0.10 之前的 JSON 内容导入插件中存在存储型 XSS。.
该漏洞可以被具有贡献者权限或更高权限的账户滥用。.
成功利用需要特权用户的交互（例如，在管理员中查看精心制作的帖子），因此通常涉及社会工程学。.
CVSS（报告值）为 6.5 — 对于具有贡献者角色和活跃编辑/管理员审核工作流的网站，影响中等偏高。.
更新到 2.0.10（或更高版本）作为最终修复。如果您无法立即更新，请应用下面描述的临时缓解措施。.

为什么存储型 XSS 在 WordPress 中很重要

存储型 XSS 是危险的，因为恶意输入会在网站上持久化（帖子、帖子元数据、插件设置、评论等），并在受害者的浏览器上下文中稍后执行。在 WordPress 中，管理员用户是最高价值的受害者：如果攻击者能够在管理员会话中执行脚本，则可能会导致网站接管。.

常见的后利用后果：

管理员会话盗窃（cookie/会话劫持）导致网站接管。.
通过 JavaScript 驱动的操作进行权限提升（创建新管理员用户，通过 AJAX 更改选项）。.
安装持久后门或 Web Shell。.
向网站访问者分发恶意软件或凭证收集表单。.
内容注入、SEO 垃圾邮件和长期声誉损害。.

这种特定漏洞的工作原理 — 高级别

拥有贡献者（或更高）权限的用户向插件提供的端点或用户界面提交数据 — 例如，一个导入字段或存储 JSON 内容或标记的区域。.
插件在后续输出到管理页面（或其他特权用户访问的页面）时，没有充分清理或转义数据而持久化该数据。.
管理员或编辑在仪表板（或预览）中打开受影响的页面，注入的 JavaScript 在他们的浏览器中执行。.
该脚本执行特权操作（使用 cookies、调用管理员 AJAX 操作、创建用户、提取令牌），使得接管或持久性妥协成为可能。.

关键点： 利用需要特权用户查看存储的有效负载；初始攻击者只需要贡献者访问权限。这对接受贡献者提交或允许从外部来源导入内容的网站来说是重要的。.

现实的利用场景

志愿贡献者在新闻网站上提交草稿。攻击者包含一个精心制作的 JSON 有效负载，当编辑审查草稿时执行。.
被攻陷的承包商账户或恶意承包商通过插件的导入功能提供有效负载。.
吞噬远程 JSON/RSS 的网站：攻击者修改源或注入提供给插件的有效负载。.
社会工程：攻击者请求编辑“请审查我的帖子”，增加有效负载被查看的机会。.

立即行动清单 — 现在该做什么（0–72 小时）

如果您运行 JSON 内容导入器，请立即将插件更新到 2.0.10（或更高版本）。这是唯一的永久修复。.
如果您无法立即更新：
- 禁用或卸载插件，直到您可以修补。.
- 限制对插件端点的访问（请参见下面的临时 WAF/htaccess 示例）。.
- 暂时移除与插件交互的贡献者权限或限制贡献者角色的操作。.
扫描妥协指标（IOCs）：
- 在帖子、postmeta 和其他插件表中搜索脚本标签。.
- 检查文件是否有新添加的 PHP 文件或最近的修改。.
- 查找创建的管理员或意外的角色变更。.
如果检测到可疑活动，强制所有管理员和特权账户重置密码。.
确保备份可用，并在修复之前进行新的备份。.

How to detect if you’ve been targeted / exploited

存储的 XSS 可能很隐蔽。使用自动扫描加上手动数据库查询和日志审查。.

在数据库中搜索脚本标签：

-- Posts containing script tags
SELECT ID, post_title, post_author, post_date
FROM wp_posts
WHERE post_content LIKE '%


Search for common JS payload patterns:

onerror=
onload=
javascript:

</ul>
<p>Example WP‑CLI command:</p>
<pre><code># Search for "<script" in post content using WP-CLI
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%';"</code></pre>
<p>Server log review:</p>
<ul>
<li>Look for suspicious POST requests to plugin endpoints such as admin-ajax.php, plugin import endpoints, or unusual REST calls mapping to plugin routes.</li>
<li>Check for requests from unfamiliar IPs or spikes in contributor activity.</li>
</ul>
<p>Browser console evidence: administrators reporting popups, unexpected redirects, or automatic downloads may indicate JS execution.</p>
<p>File system checks:</p>
<pre><code># Find PHP files modified in last 14 days
find /var/www/html -type f -iname '*.php' -mtime -14 -ls</code></pre>
<p>User accounts:</p>
<pre><code>wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --role=subscriber --role=contributor --fields=ID,user_login,user_email,user_registered</code></pre>
<h2 id="incident-response-if-you-suspect-compromise">Incident response — if you suspect compromise</h2>
<ol>
<li>Isolate the environment: put the site into maintenance mode or temporarily take it offline; isolate credentials and processes if hosting multiple sites on the same server.</li>
<li>Take a full backup (files + DB) immediately for forensics.</li>
<li>Identify the attack vector and affected records (use the detection queries above).</li>
<li>Clean the site:
<ul>
<li>Remove malicious entries from post_content/postmeta (manually or via clean backups).</li>
<li>Remove injected files and malicious scheduled tasks.</li>
<li>Reinstall core and plugin files from known clean sources.</li>
</ul>
</li>
<li>Reset credentials:
<ul>
<li>Force password reset for all admin users.</li>
<li>Rotate API keys, webhook secrets, and tokens stored on the site.</li>
</ul>
</li>
<li>Verify integrity with malware scans and log inspection for persistence or beaconing.</li>
<li>Restore from a clean backup if necessary.</li>
<li>Review and harden: update the plugin to 2.0.10+, re‑examine user roles and remove unnecessary contributor accounts, and deploy temporary request filtering where needed.</li>
</ol>
<p>If you are unsure at any step, engage a qualified WordPress security professional; persistent backdoors can be subtle and difficult to detect.</p>
<h2 id="short-term-mitigations-and-virtual-patching-waf-rules">Short‑term mitigations and virtual patching (WAF rules)</h2>
<p>If you cannot patch immediately, virtual patching with a properly configured WAF can reduce exposure. The examples below are generic and must be adapted and tested for your environment.</p>
<ol>
<li>Block common XSS payload patterns in requests targeting plugin endpoints:
<ul>
<li>Block if request contains “<script”, “onerror=”, “onload=”, “javascript:”, “svg/onload”, “img/onerror”.</li>
</ul>
</li>
<li>Rate limit POST requests to plugin endpoints and admin AJAX.</li>
<li>Restrict REQUEST_URI patterns that match plugin import paths if those endpoints are unused.</li>
</ol>
<p>Example ModSecurity style rule (adapt to your WAF platform):</p>
<pre><code># Example pattern-based WAF rule — adapt IDs & syntax to your WAF
SecRule REQUEST_URI "@pm /wp-admin/admin.php /wp-admin/admin-ajax.php /wp-json/" \
 "phase:2,t:none,chain,log,deny,msg:'Block potential stored XSS to plugin import endpoints',id:1000001"
  SecRule REQUEST_BODY|ARGS|ARGS_NAMES|XML:/* "@rx (<script\b|onerror\s*=|onload\s*=|javascript:|alert\(|<svg\b.*onload)" \
  "t:none,log,deny,status:403"</code></pre>
<p>Important: pattern matching may produce false positives. Run in log mode initially to tune rules before enforcing deny.</p>
<p>Temporary .htaccess protection for plugin folder:</p>
<pre><code># Deny access to plugin admin endpoints unless from trusted IPs (example)
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/wp-content/plugins/json-content-importer/ [NC]
  # Allow trusted admin IP e.g. 203.0.113.5
  RewriteCond %{REMOTE_ADDR} !^203\.0\.113\.5$
  RewriteRule ^.* - [F,L]
</IfModule></code></pre>
<p>Or deny public access to specific plugin PHP files unless strictly necessary.</p>
<h2 id="hardening-recommendations-long-term">Hardening recommendations (long term)</h2>
<ul>
<li>Keep everything updated — WordPress core, themes, and plugins.</li>
<li>Enforce least privilege: only grant Contributor or higher when required; consider manual approval for new contributors.</li>
<li>Require two‑factor authentication for elevated roles.</li>
<li>Reduce attack surface: uninstall or disable unused plugins, especially those that parse or import remote content.</li>
<li>Sanitize and escape:
<ul>
<li>Perform server‑side sanitization on input that may be output to admin pages.</li>
<li>Ensure plugin output is escaped using esc_html, esc_attr, wp_kses_post where appropriate.</li>
</ul>
</li>
<li>Implement a Content Security Policy (CSP) where compatible to limit inline script execution.</li>
<li>Prefer role‑scoped preview workflows that avoid exposing raw HTML from contributors to admins.</li>
<li>Log and monitor admin activity, file changes, and set up integrity checking (file hashes) and scheduled malware scans.</li>
<li>Harden file permissions and disable file editing by defining DISALLOW_FILE_EDIT in wp-config.php.</li>
<li>Choose plugins with active maintenance and a good security track record.</li>
</ul>
<h2 id="developer-checklist-what-to-fix-in-plugin-code">Developer checklist — what to fix in plugin code</h2>
<p>If you are auditing or maintaining code:</p>
<ul>
<li>Validate and sanitize all user‑controlled input before persisting to the database. Use wp_kses() / wp_kses_post() with a strict allowed set when HTML is expected.</li>
<li>Escape output when rendering in admin pages: esc_html(), esc_attr(), wp_kses_post(). Never echo unescaped HTML coming from untrusted users into admin pages.</li>
<li>Use nonce and capability checks on endpoints that accept input.</li>
<li>Avoid rendering raw JSON or unchecked data inside inline script blocks. If serializing data into JS, use wp_json_encode() and appropriate escaping.</li>
<li>Do not trust user roles alone — add contextual validation where appropriate.</li>
</ul>
<h2 id="useful-detection-cleanup-scripts">Useful detection & cleanup scripts</h2>
<p>Practical queries and commands you can run immediately.</p>
<pre><code>-- Search for "onerror=" and "onload=" in post content
SELECT ID, post_title, post_modified
FROM wp_posts
WHERE post_content LIKE '%onerror=%' OR post_content LIKE '%onload=%' OR post_content LIKE '%javascript:%';

-- Search for "<script" occurrences in postmeta
SELECT post_id, meta_key
FROM wp_postmeta
WHERE meta_value LIKE '%<script%';</code></pre>
<p>WP‑CLI example (use with caution and backups):</p>
<pre><code># Replace dangerous script tags with sanitized entity (backup first)
wp db query "UPDATE wp_posts SET post_content = REPLACE(post_content, '<script', '&lt;script') WHERE post_content LIKE '%<script%';"</code></pre>
<p>A safer approach is to export suspicious records and manually review before mass changes.</p>
<h2 id="why-a-waf-helps">Why a WAF helps</h2>
<p>A properly configured Web Application Firewall provides important short‑term benefits while you update vulnerable components:</p>
<ul>
<li>Virtual patching: block exploit patterns targeting plugin endpoints before the vendor update is applied.</li>
<li>Request inspection: catch and block payloads containing inline scripts, suspicious attributes, or known XSS signatures.</li>
<li>Detection: log and alert on suspicious requests, enabling faster incident response.</li>
</ul>
<p>WAFs are a layer in defense‑in‑depth and not a replacement for patching vulnerable code.</p>
<h2 id="example-waf-rule-logic-to-apply">Example WAF rule logic to apply</h2>
<ul>
<li>Deny POST requests with payloads containing common XSS constructs when targeting the plugin’s import/admin endpoints.</li>
<li>Block requests that include HTTP parameters like content= or json= with <script or onerror= patterns.</li>
<li>Run detection (log) mode first, tune rules to reduce false positives, then enable blocking.</li>
</ul>
<h2 id="practical-configuration-examples">Practical configuration examples</h2>
<ol>
<li>Limit Contributor role capabilities: remove upload_files and other unnecessary capabilities from Contributor.</li>
<li>Sanitize saves globally (temporary mu‑plugin):</li>
</ol>
<pre><code><?php
// Put in an mu-plugin to sanitize post content when saved by contributors
add_action('save_post', 'hk_sanitize_contributor_content', 10, 3);
function hk_sanitize_contributor_content($post_ID, $post, $update) {
  if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) return;
  $user = wp_get_current_user();
  if (in_array('contributor', (array)$user->roles)) {
    $clean = wp_kses($post->post_content, wp_kses_allowed_html('post'));
    if ($clean !== $post->post_content) {
      // Prevent infinite loop: remove action, update, re-add
      remove_action('save_post', 'hk_sanitize_contributor_content', 10);
      wp_update_post(array('ID' => $post_ID, 'post_content' => $clean));
      add_action('save_post', 'hk_sanitize_contributor_content', 10, 3);
    }
  }
}
?></code></pre>
<p>This is a temporary mitigation and does not replace the official plugin patch.</p>
<h2 id="post-update-verification">Post‑update verification</h2>
<ol>
<li>Confirm the plugin update applied successfully.</li>
<li>Re‑scan the database for XSS artifacts (script tags, event handlers).</li>
<li>Inspect admin pages where plugin output is shown to confirm values are escaped.</li>
<li>Review access logs for exploitation attempts and confirm any WAF logging shows expected entries.</li>
<li>Rotate admin credentials and API keys if you found evidence of compromise.</li>
</ol>
<h2 id="frequently-asked-questions">Frequently asked questions</h2>
<h3 id="q-im-a-small-blog-with-no-contributors-am-i-at-risk">Q: I’m a small blog with no contributors — am I at risk?</h3>
<p>A: Lower risk, but not zero. If any role beyond Subscriber interacts with the plugin, or if the plugin consumes remote JSON, you may be vulnerable. Update the plugin and review your usage.</p>
<h3 id="q-if-i-uninstall-the-plugin-does-that-remove-the-stored-payload">Q: If I uninstall the plugin, does that remove the stored payload?</h3>
<p>A: Not necessarily. Uninstalling may leave data in the database (options, postmeta). You should search for and remove malicious content in the database regardless of plugin removal.</p>
<h3 id="q-does-this-affect-front-end-only-or-admin-pages-too">Q: Does this affect front end only, or admin pages too?</h3>
<p>A: Stored XSS persists and can execute in any context that renders the malicious data — including admin pages. Admin UI rendering is particularly high risk.</p>
<h2 id="best-practices-recap">Best practices recap</h2>
<ul>
<li>Update the plugin to 2.0.10 immediately.</li>
<li>If you cannot update, disable the plugin, restrict Contributor access, and deploy virtual patches.</li>
<li>Scan the database and files for injected scripts and suspicious changes.</li>
<li>Enforce least privilege and require 2FA for elevated roles.</li>
<li>Implement monitoring, integrity checks, and a layered security posture with logging and regular scans.</li>
</ul>
<h2 id="example-forensic-checklist-what-to-look-for-after-an-exploit">Example forensic checklist (what to look for after an exploit)</h2>
<ul>
<li>New or modified admin users in the last 30 days.</li>
<li>Unexpected scheduled tasks (wp_cron entries calling unknown PHP files).</li>
<li>Database entries in wp_posts/postmeta containing <script> tags or onerror/onload attributes.</li>
<li>Modified core/plugin/theme files, especially if edited outside maintenance windows.</li>
<li>Outbound connections to suspicious IPs or domains (beacons).</li>
<li>Access logs showing POSTs to plugin import endpoints with suspicious payloads.</li>
</ul>
<h2 id="final-thoughts-from-a-hong-kong-security-expert">Final thoughts from a Hong Kong security expert</h2>
<p>Stored XSS that can be inserted by low‑privileged actors is particularly dangerous in CMS environments because it leverages normal human workflows like content review. Social engineering makes exploitation low effort and high impact. Patch as the primary remediation, and simultaneously apply short‑term mitigations — virtual patching, role restrictions, server‑side sanitization, and monitoring — to reduce the risk window.</p>
<p>If you require help implementing rules, running a forensic scan, or performing incident response, engage an experienced WordPress security practitioner. Rapid, careful investigation is critical when you suspect compromise.</p>
<p>Stay vigilant, keep plugins updated, and apply least privilege across content workflows.</p>
<p><em>— Hong Kong WordPress Security Advisory</em></p>
</article>
<p></body><br />
</html></p>

		</div>
		<section class="post-tags"><ul><li><h5 class="title-tags">标签：</h5></li><li><a href="https://wp-security.org/zh_cn/tag/wordpress-security/" rel="tag">WordPress Security</a></li></ul></section>		<div class="pk-share-buttons-wrap pk-share-buttons-layout-default pk-share-buttons-scheme-bold-bg pk-share-buttons-has-counts pk-share-buttons-has-total-counts pk-share-buttons-after-post pk-share-buttons-mode-php pk-share-buttons-mode-rest" data-post-id="3543" data-share-url="https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/" >

							<div class="pk-share-buttons-total pk-share-buttons-total-no-count">
							<div class="pk-share-buttons-count cs-font-primary">0 Shares:</div>
						</div>
				
			<div class="pk-share-buttons-items">

										<div class="pk-share-buttons-item pk-share-buttons-facebook pk-share-buttons-no-count" data-id="facebook">

							<a href="https://www.facebook.com/sharer.php?u=https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-facebook"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">分享</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
											<div class="pk-share-buttons-item pk-share-buttons-twitter pk-share-buttons-no-count" data-id="twitter">

							<a href="https://x.com/share?&text=%3Ctrp-post-container%20data-trp-post-id%3D%273543%27%3ECommunity%20Alert%20XSS%20in%20JSON%20Importer%28CVE202515363%29%3C%2Ftrp-post-container%3E&url=https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-twitter"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">推文</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
											<div class="pk-share-buttons-item pk-share-buttons-pinterest pk-share-buttons-no-count" data-id="pinterest">

							<a href="https://pinterest.com/pin/create/bookmarklet/?url=https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/&media=https://wp-security.org/wp-content/uploads/2026/03/2026-03-19CVE202515363WordPress-JSON-Content-Importer-Plugin-1024x576.jpg" class="pk-share-buttons-link" target="_blank">

																	<i class="pk-share-buttons-icon pk-icon pk-icon-pinterest"></i>
								
								
																	<span class="pk-share-buttons-label pk-font-primary">固定</span>
								
																	<span class="pk-share-buttons-count pk-font-secondary">0</span>
															</a>

							
							
													</div>
								</div>
		</div>
	

<section class="post-author">

	<div class="authors-compact">

			<div class="author-wrap">
			<div class="author">
				<div class="author-avatar">
					<a href="https://wp-security.org/zh_cn/author/wp-security/" rel="author">
						<img alt='' src='https://secure.gravatar.com/avatar/16bf83a02c7c3aa39247769e866366c2ea8ccfb8bd88a16ef3ac35925a1da888?s=120&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/16bf83a02c7c3aa39247769e866366c2ea8ccfb8bd88a16ef3ac35925a1da888?s=240&#038;d=mm&#038;r=g 2x' class='avatar avatar-120 photo' height='120' width='120' decoding='async'/>					</a>
				</div>
				<div class="author-description">
					<h5 class="title-author">
						<span class="fn">
							<a href="https://wp-security.org/zh_cn/author/wp-security/" rel="author">
								WP Security Vulnerability Report							</a>
						</span>
					</h5>
					<p class="note"></p>
									</div>
			</div>
		</div>
	
	</div>

</section>


<div id="disqus_thread"></div>
	</div>

				</div>
			
	
</article>

					<div class="post-prev-next">
						<a class="link-item prev-link" href="https://wp-security.org/zh_cn/vulnerability-database/secure-community-database-reporting-guidenone/">
					<div class="link-content">
						<div class="link-label">
							<span class="link-arrow"></span><span class="link-text"> — 上一篇文章</span>
						</div>

						<h2 class="entry-title">
							Secure Community Database Reporting Guide(None)						</h2>
					</div>
				</a>
							<a class="link-item next-link" href="https://wp-security.org/zh_cn/vulnerability-database/hong-kong-security-advisory-code-embed-xsscve20262512/">
					<div class="link-content">
						<div class="link-label">
							<span class="link-text">下一篇文章 — </span><span class="link-arrow"></span>
						</div>

						<h2 class="entry-title">
							Hong Kong Security Advisory Code Embed XSS(CVE20262512)						</h2>
					</div>
				</a>
				</div>
		<section class="post-archive archive-related">

			<div class="archive-wrap">

				
				<div class="title-block-wrap">
					<h5 class="title-block">
						你可能也喜欢					</h5>
				</div>

				<div class="archive-main archive-list  archive-heading-small archive-borders-enabled archive-shadow-enabled archive-scale-enabled">

					
<article class="entry-without-preview post-909 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/hong-kong-security-advisory-wordpress-csrf-flawcve202553249/" rel="bookmark">Hong Kong Security Advisory WordPress CSRF Flaw(CVE202553249)</a></h2><ul class="post-meta"><li class="meta-date">8 月 14, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress Build App Online Plugin &lt;= 1.0.23 - Cross Site Request Forgery (CSRF) Vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-3776 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/hong-kong-security-alert-wordpress-sql-injectioncve20264087/" rel="bookmark">Hong Kong Security Alert WordPress SQL Injection(CVE20264087)</a></h2><ul class="post-meta"><li class="meta-date">3 月 23, 2026</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							SQL Injection in WordPress Pre* Party Resource Hints Plugin						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-2030 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/protecting-users-from-easy-digital-downloads-redirectscve202514783/" rel="bookmark">Protecting Users From Easy Digital Downloads Redirects(CVE202514783)</a></h2><ul class="post-meta"><li class="meta-date">12 月 30, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							Open Redirection in WordPress Easy Digital Downloads Plugin						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-1129 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/hong-kong-security-alert-silencesoft-rss-csrfcve20257842/" rel="bookmark">Hong Kong Security Alert Silencesoft RSS CSRF(CVE20257842)</a></h2><ul class="post-meta"><li class="meta-date">8 月 22, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress Silencesoft RSS Reader plugin &lt;= 0.6 - Cross-Site Request Forgery to RSS Feed Deletion vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-1401 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/hong-kong-security-alert-wp-dispatcher-vulnerabilitycve20259212/" rel="bookmark">Hong Kong Security Alert WP Dispatcher Vulnerability(CVE20259212)</a></h2><ul class="post-meta"><li class="meta-date">10 月 3, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress WP Dispatcher plugin &lt;= 1.2.0 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>

<article class="entry-without-preview post-826 post type-post status-publish format-standard has-post-thumbnail category-vulnerability-database tag-wordpress-security">
	<div class="post-outer">
		
		
		<div class="post-inner">
			<div class="meta-category"><a class="category-style" href="https://wp-security.org/zh_cn/category/vulnerability-database/"><span style="background-color:#EDF2FF" data-color="#EDF2FF" data-color-dark="#555555" class="char" data-scheme="default">W</span><span class="label">WordPress Vulnerability Database</span></a></div>			<header class="entry-header">
				<h2 class="entry-title"><a href="https://wp-security.org/zh_cn/vulnerability-database/hk-security-advisory-wordpress-menu-csrf-vulnerabilitycve20258491/" rel="bookmark">HK security advisory WordPress menu CSRF vulnerability(CVE20258491)</a></h2><ul class="post-meta"><li class="meta-date">8 月 12, 2025</li></ul>			</header>

							<div class="entry-details">
											<div class="entry-excerpt">
							WordPress Easy restaurant menu manager plugin &lt;= 2.0.2 - Cross-Site Request Forgery to Menu Upload vulnerability						</div>
					
									</div>
			
		</div><!-- .post-inner -->

	</div><!-- .post-outer -->
</article>
				</div>

			</div>

		</section>
	
	
	
			
			
		</main>

		
	</div><!-- .content-area -->


						
					</div><!-- .main-content -->

					
				</div><!-- .cs-container -->

				
			</div><!-- .site-content -->

			
			
			<footer id="colophon" class="site-footer">
									<div class="footer-subscribe">
						<div class="cs-container">
							<div class="subscribe-wrap">
															</div>
						</div>
					</div>
					
				
				<div class="footer-info">

					<div class="cs-container">

						<div class="site-info">

							<div class="footer-col-info">
																	<span class="site-title footer-title" href="https://wp-security.org/zh_cn/" rel="home">
										
										<img src="https://wp-security.org/wp-content/uploads/2025/08/WP-Security-logo-1-e1754494371106.png"  alt="WP Security" >									</span>
																										<div class="footer-copyright">
										© 2025 WP-Security.org Disclaimer: WP-Security.org is an independent, non-profit NGO community committed to sharing WordPress security news and information. We are not affiliated with WordPress, its parent company, or any related entities. All trademarks are the property of their respective owners.									</div>
																</div>

							
							
						</div>

					</div>

				</div>

			</footer>

			
		</div>

	</div><!-- .site-inner -->

	
</div><!-- .site -->


<template id="tp-language" data-tp-language="zh_CN"></template><script type="speculationrules">
{"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/zh_cn/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/squaretype/*","/zh_cn/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]}
</script>
			<a href="#top" class="pk-scroll-to-top">
				<i class="pk-icon pk-icon-up"></i>
			</a>
					<div class="pk-mobile-share-overlay">
							</div>
			
			<script type="text/javascript">
				var _paq = _paq || [];
					_paq.push(['setCustomDimension', 1, '{"ID":3,"name":"WP Security Vulnerability Report","avatar":"f7de7e299d4a4b4c92c6f2c2a29a7ca7"}']);
				_paq.push(['trackPageView']);
								(function () {
					var u = "https://analytics2.wpmudev.com/";
					_paq.push(['setTrackerUrl', u + 'track/']);
					_paq.push(['setSiteId', '24942']);
					var d   = document, g = d.createElement('script'), s = d.getElementsByTagName('script')[0];
					g.type  = 'text/javascript';
					g.async = true;
					g.defer = true;
					g.src   = 'https://analytics.wpmucdn.com/matomo.js';
					s.parentNode.insertBefore(g, s);
				})();
			</script>
			<script id='kirki-viewport-lists'>var kirkiViewports = {"md":{"value":1200,"scale":1,"minWidth":1200,"maxWidth":1200,"title":"Desktop","icon":"desktop","activeIcon":"desktop-hover","id":"md","type":"max"},"tablet":{"value":991,"scale":1,"minWidth":991,"maxWidth":991,"title":"Tablet","icon":"tablet-default","activeIcon":"tablet-hover","type":"max","id":"tablet"},"mobileLandscape":{"value":767,"scale":1,"minWidth":767,"maxWidth":767,"title":"Landscape","icon":"phone-hr-default","activeIcon":"phone-hr-hover","type":"max","id":"mobileLandscape"},"mobile":{"value":575,"scale":1,"minWidth":575,"maxWidth":575,"title":"Mobile","icon":"phone-vr-default","activeIcon":"phone-vr-hover","type":"max","id":"mobile"}};</script><script id='kirki-variable-lists'>var kirkiCSSVariable = {"data":[{"title":"Colors","key":"color","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Numbers","key":"size","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Font Family","key":"font-family","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Text Styles","key":"text-style","modes":[{"title":"Default","key":"default"}],"variables":[]}]};</script><script id="kirki-api-and-nonce">
    window.wp_kirki = {
        ajaxUrl: "https://wp-security.org/wp-admin/admin-ajax.php",
        restUrl: "https://wp-security.org/zh_cn/wp-json/",
        siteUrl: "https://wp-security.org",
        apiVersion: "v1",
        postId: "3543",
        nonce: "72270e053a",
        call_from: "",
        templateId: "",
        context: {"id":3543,"type":"post"}
    };
    </script><script type="importmap" id="wp-importmap">
{"imports":{"@wordpress/interactivity":"https://wp-security.org/wp-includes/js/dist/script-modules/interactivity/index.min.js?ver=66c613f68580994bb00a","@surecart/checkout":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout/index.js?ver=3bbe28b8db1e11147c67","@surecart/checkout-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout-events/index.js?ver=ed9647bd6c7865efe2ad","@surecart/checkout-service":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout-actions/index.js?ver=e445a0ee0396d75d52c0","@surecart/google-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/google/index.js?ver=d92e383a18bcf54ea538","@surecart/facebook-events":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/facebook/index.js?ver=cf5c6499cb7b867894c1","@wordpress/a11y":"https://wp-security.org/wp-includes/js/dist/script-modules/a11y/index.min.js?ver=b7d06936b8bc23cff2ad","@surecart/api-fetch":"https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/fetch/index.js?ver=1bfba8ea0694a193022a"}}
</script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/line-item-note/index.js?ver=af6cf14267b5a9ad219f" id="@surecart/line-item-note-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/checkout/index.js?ver=3bbe28b8db1e11147c67" id="@surecart/checkout-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/cart/index.js?ver=c2f35b71b4309df849fe" id="@surecart/cart-js-module"></script>
<script type="module" src="https://wp-security.org/wp-content/plugins/surecart/packages/blocks-next/build/scripts/order-bumps/index.js?ver=c639def39210a6244eb2" id="@surecart/order-bumps-js-module"></script>
<script type="application/json" id="wp-script-module-data-@wordpress/interactivity">
{"state":{"surecart/order-bumps":{"currentPage":1,"perPage":3},"surecart/checkout":{"checkout":{"line_items":{"data":[]}},"discountIsRedeemable":false,"isDiscountApplied":false,"hasDiscountAmount":false,"hasSubtotalScratchAmount":false,"itemsCount":0,"hasItems":false}}}
</script>
		<div id="fb-root"></div>
		<script async defer crossorigin="anonymous" src="https://connect.facebook.net/zh_CN/sdk.js#xfbml=1&version=v17.0&appId=&autoLogAppEvents=1" nonce="Ci8te34e"></script>
					<script>
					window.scFetchData =
					{"root_url":"https:\/\/wp-security.org\/zh_cn\/wp-json\/","nonce":"72270e053a","nonce_endpoint":"https:\/\/wp-security.org\/wp-admin\/admin-ajax.php?action=sc-rest-nonce"}				</script>
				<!-- Render the cart. --> <div data-wp-context='{"formId":131,"mode":"live"}' data-wp-interactive='{ "namespace": "surecart/checkout" }' data-wp-init="callbacks.init" data-wp-watch="callbacks.onChangeCheckout" data-wp-on-window--storage="callbacks.syncTabs" class="sc-cart-wrapper is-layout-flow wp-container-surecart-slide-out-cart-is-layout-d6743c7d wp-block-surecart-slide-out-cart-is-layout-flow" > <div style="width: 525px; font-size:15px;" class="sc-drawer sc-cart-drawer wp-block-surecart-slide-out-cart" role="dialog" data-wp-bind--aria-label="surecart/cart::state.ariaLabel" data-wp-class--open="surecart/cart::state.open" data-wp-on--keydown="surecart/cart::actions.handleKeydown" > <!-- Cart alert --> <div class="sc-alert sc-alert__alert--danger" role="alert" aria-live="assertive" aria-atomic="true" data-wp-bind--hidden="!state.error" hidden> <div class="sc-alert__icon"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <circle cx="12" cy="12" r="10" /> <line x1="12" y1="8" x2="12" y2="12" /> <line x1="12" y1="16" x2="12.01" y2="16" /> </svg> </div> <div class="sc-alert__text"> <div class="sc-alert__title"> <span data-wp-text="state.errorTitle"></span> </div> <div class="sc-alert__message"> <div data-wp-text="state.errorMessage"></div> <template data-wp-each--message="state.additionalErrors"> <div> <span data-wp-text="context.message"></span> </div> </template> </div> </div> </div> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-09de181c wp-block-group-is-layout-flex" style="padding-top:1.5em;padding-right:2em;padding-bottom:0em;padding-left:2em"> <div style="line-height:1;" class="wp-block-surecart-cart-close-button" data-wp-on--click="surecart/cart::actions.toggle" data-wp-on--keypress="surecart/cart::actions.toggle" role="button" tabindex="0" aria-label="关闭购物车" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="5" y1="12" x2="19" y2="12" /> <polyline points="12 5 19 12 12 19" /> </svg> </div> <p style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;font-size:16px;font-style:normal;font-weight:500;line-height:1"> 查看我的订单</p> <span style="font-size:14px;font-weight:600;line-height:1; border-radius:4px; padding-top:6px;padding-bottom:6px;padding-left:10px;padding-right:10px;" class="wp-block-surecart-cart-count" data-wp-text="state.itemsCount">0</span> </div> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div style="padding-top:2em;padding-bottom:2em;padding-left:2em;padding-right:2em;" class="wp-block-surecart-slide-out-cart-line-items is-layout-flow wp-container-surecart-slide-out-cart-line-items-is-layout-546f3c6d wp-block-surecart-slide-out-cart-line-items-is-layout-flow" role="list"> <template data-wp-each--line_item="state.checkoutLineItems" data-wp-each-key="context.line_item.id" > <div class="sc-product-line-item" data-wp-class--sc-product-line-item--has-swap="state.swap" role="listitem" data-wp-bind--aria-label="state.lineItemAriaLabel"> <div class="sc-product-line-item__content"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div class="wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-bd3f9bef wp-block-group-is-layout-flex"> <figure class="sc-cart-line-item-image-wrap wp-container-content-962be591 wp-duotone-unset-1" data-wp-bind--hidden="!context.line_item.image.src"> <img style="aspect-ratio:1;border-radius:4px;border-width:1px;margin-top:0;margin-bottom:0; margin-top:0;margin-bottom:0;" class="sc-is-covered wp-block-surecart-cart-line-item-image" data-wp-bind--alt="context.line_item.image.alt" data-wp-bind--srcset="context.line_item.image.srcset" data-wp-bind--sizes="context.line_item.image.sizes" data-wp-bind--src="context.line_item.image.src" loading="lazy" /> </figure> <div class="wp-block-group wp-container-content-9cfa9a5a is-vertical is-content-justification-stretch is-nowrap is-layout-flex wp-container-core-group-is-layout-a46423eb wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-eb80f53d wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <a style="font-style:normal;font-weight:500;line-height:1.4;text-decoration:none;" class="wp-block-surecart-cart-line-item-title" data-wp-bind--href="state.lineItemPermalink"> <span data-wp-text="context.line_item.price.product.name"></span> </a> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-price-name" data-wp-text="state.lineItemPriceName" data-wp-bind--hidden="!state.lineItemPriceName"></div> <div style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-variant" data-wp-text="state.lineItemVariant" data-wp-bind--hidden="!state.lineItemVariant"></div> <div data-wp-interactive='{ "namespace": "surecart/line-item-note" }' style="font-size:14px;line-height:1.4;" class="wp-block-surecart-cart-line-item-note" data-wp-context='{}' data-wp-run="callbacks.init" data-wp-class--line-item-note--is-expanded="context.noteExpanded" data-wp-class--line-item-note--is-collapsible="context.showToggle" data-wp-bind--hidden="surecart/checkout::!state.lineItemNote" data-wp-on--click="actions.toggleNoteExpanded" data-wp-on--keydown="actions.toggleNoteExpanded" data-wp-bind--role="button" data-wp-bind--disabled="!context.showToggle" data-wp-bind--aria-expanded="context.noteExpanded" data-wp-bind--aria-label="Toggle note visibility" tabindex="0" > <div class="line-item-note__text" data-wp-text="surecart/checkout::state.lineItemNote" ></div> <span class="sc-icon" data-wp-class--sc-icon--rotated="context.noteExpanded" > <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="6 9 12 15 18 9" /> </svg> </span> </div> </div></div> <div class="sc-product-line-item__purchasable-status wp-block-surecart-cart-line-item-status has-text-align-right" data-wp-text="context.line_item.purchasable_status_display" data-wp-bind--hidden="!context.line_item.purchasable_status_display" role="status" aria-live="polite" aria-atomic="true" >&nbsp;</div> </div></div> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div class="wp-block-group is-content-justification-right is-nowrap is-layout-flex wp-container-core-group-is-layout-f8a47911 wp-block-group-is-layout-flex" style="line-height:1.4"> <div class="wp-block-surecart-cart-line-item-scratch-amount" data-wp-text="context.line_item.scratch_display_amount" data-wp-bind--hidden="!state.lineItemHasScratchAmount" ></div> <div style="font-style:normal;font-weight:500;" class="wp-block-surecart-cart-line-item-amount has-text-align-right" data-wp-text="context.line_item.subtotal_display_amount"></div> <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-interval" data-wp-bind--hidden="!context.line_item.price.short_interval_text"> <span class="wp-block-surecart-cart-line-item-interval__interval" data-wp-bind--hidden="!context.line_item.price.short_interval_text" data-wp-text="context.line_item.price.short_interval_text" ></span> <span class="wp-block-surecart-cart-line-item-interval__count" data-wp-bind--hidden="!context.line_item.price.short_interval_count_text" data-wp-text="context.line_item.price.short_interval_count_text" ></span> </div> </div> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-trial has-text-align-right" data-wp-bind--hidden="!context.line_item.price.trial_text" data-wp-text="context.line_item.price.trial_text" ></div> <template data-wp-each--fee="state.lineItemFees" data-wp-each-key="context.fee.id" > <div style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right"> <span style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right" data-wp-text="context.fee.display_amount" ></span> <span style="font-size:14px;" class="wp-block-surecart-cart-line-item-fees has-text-align-right" data-wp-text="context.fee.description" ></span> </div> </template> </div></div> </div></div> </div> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-c0dd7891 wp-block-group-is-layout-flex"> <div class="wp-block-group wp-container-content-9cfa9a5a"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"><div class="sc-input-group sc-input-group-sm sc-quantity-selector wp-block-surecart-cart-line-item-quantity" data-wp-class--quantity--disabled="state.isQuantityDisabled" data-wp-bind--hidden="!state.isEditable" hidden="1"> <div class="sc-input-group-text sc-quantity-selector__decrease" role="button" tabindex="0" data-wp-on--click="surecart/checkout::actions.onQuantityDecrease" data-wp-on--keydown="surecart/checkout::actions.onQuantityDecrease" data-wp-bind--disabled="state.isQuantityDecreaseDisabled" data-wp-bind--aria-disabled="state.isQuantityDecreaseDisabled" data-wp-class--button--disabled="state.isQuantityDecreaseDisabled" data-wp-bind--aria-label="surecart/checkout::state.decreaseQuantityAriaLabel" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </div> <input type="number" class="sc-form-control sc-quantity-selector__control" data-wp-bind--value="context.line_item.quantity" data-wp-on--change="surecart/checkout::actions.onQuantityChange" data-wp-bind--min="context.line_item.min" data-wp-bind--aria-valuemin="context.line_item.min" data-wp-bind--max="context.line_item.max" data-wp-bind--aria-valuemax="context.line_item.max" data-wp-bind--aria-valuenow="context.line_item.quantity" data-wp-bind--disabled="surecart/checkout::state.loading" data-wp-bind--aria-label="surecart/checkout::state.quantityInputAriaLabel" step="1" autocomplete="off" role="spinbutton" /> <div class="sc-input-group-text sc-quantity-selector__increase" role="button" tabindex="0" data-wp-on--click="surecart/checkout::actions.onQuantityIncrease" data-wp-on--keydown="surecart/checkout::actions.onQuantityIncrease" data-wp-bind--disabled="state.isQuantityIncreaseDisabled" data-wp-bind--aria-disabled="state.isQuantityIncreaseDisabled" data-wp-class--button--disabled="state.isQuantityIncreaseDisabled" data-wp-bind--aria-label="surecart/checkout::state.increaseQuantityAriaLabel" > <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="12" y1="5" x2="12" y2="19" /> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </div> </div> </div></div> <div class="wp-block-group is-vertical is-content-justification-right is-layout-flex wp-container-core-group-is-layout-4269a6fd wp-block-group-is-layout-flex"> <div style="font-size:14px;font-style:normal;font-weight:400;" class="wp-block-surecart-cart-line-item-remove" data-wp-bind--aria-label="surecart/checkout::state.removeItemAriaLabel" data-wp-on--click="surecart/checkout::actions.removeLineItem" data-wp-on--keydown="surecart/checkout::actions.removeLineItem" role="button" tabindex="0" > <svg class="wp-block-surecart-cart-line-item-remove__icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="18" y1="6" x2="6" y2="18" /> <line x1="6" y1="6" x2="18" y2="18" /> </svg> <span class="wp-block-surecart-cart-line-item-remove__label"> 移除 </span> </div> </div> </div> </div> </div> </div></div> </div> <div class="sc-product-line-item__swap" data-wp-bind--hidden="!state.swap" hidden data-wp-on--click="actions.toggleSwap"> <div class="sc-product-line-item__swap-content"> <button type="button" class="sc-toggle" role="switch" aria-checked="false" data-wp-bind--aria-checked="context.line_item.swap" data-wp-class--sc-toggle--checked="context.line_item.swap"> <span class="sc-toggle__label">使用设置</span> <span aria-hidden="true" class="sc-toggle__knob"></span> </button> <span data-wp-text="state.swap.description"></span> </div> <div class="sc-product-line-item__swap-amount"> <span data-wp-text="state.swapDisplayAmount" class="sc-product-line-item__swap-amount-value"></span> <span data-wp-text="state.swapIntervalText" class="sc-product-line-item__swap-amount-interval"></span> <span data-wp-text="state.swapIntervalCountText" class="sc-product-line-item__swap-amount-interval-count"></span> </div> </div> </div> </template> </div> </div></div> <div class="wp-block-group" style="border-top-color:#b0b0b069;border-top-width:1px;padding-top:0em;padding-right:0em;padding-bottom:0em;padding-left:0em"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <div style="border-bottom-width:1px;border-bottom-color:#b0b0b069; padding-top:1.5em;padding-bottom:1.5em;padding-left:2em;padding-right:2em;" class="wp-block-surecart-cart-order-bumps" data-wp-context='{"hideAddedItems":true}' data-wp-interactive='{ "namespace": "surecart/order-bumps" }' data-wp-init="callbacks.init" data-wp-bind--hidden="!state.hasOrderBumps" hidden> <div class="wp-block-group is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-1ceffb7a wp-block-group-is-layout-flex" style="margin-bottom:0.75em"> <p style="margin-top:0;margin-bottom:0;font-style:normal;font-weight:500">为您推荐</p> <nav class="wp-block-surecart-cart-order-bump-pagination is-layout-flex wp-container-surecart-cart-order-bump-pagination-is-layout-d04bdab2 wp-block-surecart-cart-order-bump-pagination-is-layout-flex" data-wp-bind--hidden="!state.showPagination" aria-label="订单增项分页" hidden> <div aria-disabled="true" disabled class="has-arrow-type-chevron wp-block-surecart-cart-order-bump-pagination-previous" data-wp-on--click="surecart/order-bumps::actions.previousPage" data-wp-on--keydown="surecart/order-bumps::actions.handlePreviousKeydown" data-wp-bind--disabled="!state.hasPreviousPage" data-wp-bind--aria-disabled="!state.hasPreviousPage" aria-label="上一页" role="button" tabindex="0" > <svg aria-hidden="true" class="wp-block-surecart-cart-order-bump-pagination-previous__icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="15 18 9 12 15 6" /> </svg> </div> <div aria-disabled="true" disabled class="has-arrow-type-chevron wp-block-surecart-cart-order-bump-pagination-next" data-wp-on--click="surecart/order-bumps::actions.nextPage" data-wp-on--keydown="surecart/order-bumps::actions.handleNextKeydown" data-wp-bind--disabled="!state.hasNextPage" data-wp-bind--aria-disabled="!state.hasNextPage" aria-label="下一页" role="button" tabindex="0" > <svg aria-hidden="true" class="wp-block-surecart-cart-order-bump-pagination-next__icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="9 18 15 12 9 6" /> </svg> </div> </nav> </div> <ul class="wp-block-surecart-cart-order-bump-template is-layout-flex wp-container-surecart-cart-order-bump-template-is-layout-242c3b10 wp-block-surecart-cart-order-bump-template-is-layout-flex" role="list" data-wp-class--has-overflow="state.hasMultipleBumps" data-wp-on--scrollend="callbacks.onCarouselScroll" data-wp-on--keydown="actions.handleCarouselKeydown" tabindex="0" data-wp-bind--aria-label="state.orderBumpsListAriaLabel" > <template data-wp-each--bump="state.orderBumps" data-wp-each-key="context.bump.id" > <li class="sc-cart-order-bump-item" role="listitem"> <div class="wp-block-group has-border-color wp-container-content-9cfa9a5a is-nowrap is-layout-flex wp-container-core-group-is-layout-811b0336 wp-block-group-is-layout-flex" style="border-color:#e0e0e0;border-width:1px;border-radius:12px;padding-top:0.75em;padding-right:1em;padding-bottom:0.75em;padding-left:0.75em"> <figure class="sc-cart-order-bump-image-wrap wp-container-content-d0d0a6b5" data-wp-bind--hidden="!context.bump.price.product.line_item_image.src"> <img style="aspect-ratio:1;width:72px;border-radius:8px;" class="sc-is-covered wp-block-surecart-cart-order-bump-image" data-wp-bind--alt="context.bump.price.product.name" data-wp-bind--src="context.bump.price.product.line_item_image.src" loading="lazy" /> </figure> <div class="wp-block-group wp-container-content-9cfa9a5a is-vertical is-layout-flex wp-container-core-group-is-layout-42e9c677 wp-block-group-is-layout-flex"> <span style="font-size:15px;font-weight:600;line-height:1.3;" class="wp-block-surecart-cart-order-bump-title" data-wp-text="context.bump.name" ></span> <div style="color:#6b7280; font-size:13px;line-height:1.3;" class="wp-block-surecart-cart-order-bump-description has-text-color" data-wp-bind--hidden="!context.bump.metadata.description" data-wp-text="context.bump.metadata.description" hidden></div> <div class="wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-89a94f6a wp-block-group-is-layout-flex"> <div style="font-size:14px;" class="wp-block-surecart-cart-order-bump-scratch-amount" data-wp-text="context.bump.subtotal_display_amount" data-wp-bind--hidden="!state.bumpHasDiscount" ></div> <div style="font-size:14px;font-weight:500;" class="wp-block-surecart-cart-order-bump-amount" data-wp-text="context.bump.total_display_amount"></div> </div> </div> <div style="font-size:18px;font-weight:400; border-color:#d1d5db;border-top-left-radius:74.6%;border-top-right-radius:74.6%;border-bottom-left-radius:74.6%;border-bottom-right-radius:74.6%;border-width:1px; padding-top:0.5em;padding-bottom:0.5em;padding-left:0.5em;padding-right:0.5em;" class="sc-cart-order-bump-add-button wp-block-surecart-cart-order-bump-add-button has-border-color" role="button" tabindex="0" data-wp-on--click="surecart/order-bumps::actions.addBumpToCart" data-wp-on--keydown="surecart/order-bumps::actions.handleAddButtonKeydown" data-wp-bind--disabled="state.isBumpInCart" data-wp-bind--aria-disabled="state.isBumpInCart" data-wp-class--sc-cart-order-bump-add-button--added="state.isBumpInCart" data-wp-bind--aria-label="state.addButtonAriaLabel" aria-label="添加到购物车" > <span class="sc-cart-order-bump-add-button__icon" aria-hidden="true" data-wp-bind--hidden="state.isBumpInCart"> <svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <line x1="12" y1="5" x2="12" y2="19" /> <line x1="5" y1="12" x2="19" y2="12" /> </svg> </span> <span class="sc-cart-order-bump-add-button__icon" aria-hidden="true" data-wp-bind--hidden="!state.isBumpInCart" hidden> <svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <polyline points="20 6 9 17 4 12" /> </svg> </span> </div> </div> </li> </template> </ul> </div> <div class="wp-block-group" style="margin-top:0;margin-bottom:0;padding-top:2em;padding-right:2em;padding-bottom:2em;padding-left:2em"><div class="wp-block-group__inner-container is-layout-constrained wp-container-core-group-is-layout-a63a6252 wp-block-group-is-layout-constrained"> <div class="wp-block-surecart-slide-out-cart-items-subtotal is-content-justification-space-between is-nowrap is-layout-flex wp-container-surecart-slide-out-cart-items-subtotal-is-layout-7351673c wp-block-surecart-slide-out-cart-items-subtotal-is-layout-flex"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-container-core-group-is-layout-d6743c7d wp-block-group-is-layout-flow"> <p style="margin-top:0px;margin-bottom:0px;font-size:18px;font-style:normal;font-weight:500;line-height:1.4"> 小计</p> <p class="has-text-color has-link-color wp-elements-3ccbd622ec95a2fb9ce4984e15710a06" style="color:var(--sc-input-help-text-color);font-size:14px;line-height:1.4">税费和运费在结账时计算</p> </div></div> <div class="wp-block-group is-content-justification-right is-nowrap is-layout-flex wp-container-core-group-is-layout-f8a47911 wp-block-group-is-layout-flex"><span style="font-size:18px;line-height:1.4;" class="wp-block-surecart-cart-subtotal-scratch-amount" data-wp-text="state.checkout.subtotal_scratch_display_amount" data-wp-bind--hidden="!state.hasSubtotalScratchAmount" data-wp-bind--aria-label="state.subtotalScratchAriaLabel" hidden></span> <span style="font-size:18px;font-style:normal;font-weight:500;line-height:1.4;" class="wp-block-surecart-cart-subtotal-amount" data-wp-text="state.checkout.subtotal_display_amount"></span> </div> </div> <div class="sc-cart-items-submit__wrapper" style="" > <div class="wp-block-button"> <a style="border-radius:4px;" class="wp-block-button__link wp-element-button sc-button__link wp-block-surecart-slide-out-cart-items-submit" href="https://wp-security.org/zh_cn/checkout/" data-wp-bind--disabled="state.loading" data-wp-class--sc-button__link--busy="state.loading" > <span class="sc-spinner" aria-hidden="false"></span> <span class="sc-button__link-text">结账</span> </a> </div> </div> </div></div> </div></div> <div class="sc-block-ui" data-wp-bind--hidden="!state.loading" hidden></div> </div> <!-- backdrop --> <div class="sc-drawer__backdrop" data-wp-on--mousedown="surecart/cart::actions.closeOverlay" data-wp-on--touchstart="surecart/cart::actions.closeOverlay" data-wp-class--show="surecart/cart::state.open" data-wp-on--keydown="surecart/cart::actions.handleKeydown"></div> </div> <!-- Render floating cart icon --> <div data-wp-interactive='{ "namespace": "surecart/checkout" }' class="wp-block-surecart-cart-icon" data-wp-context='{"formId":131,"mode":"live"}' data-wp-on--click="surecart/cart::actions.toggle" data-wp-on--keydown="surecart/cart::actions.toggle" tabindex="0" role="button" data-wp-bind--hidden="!state.hasItems" hidden> <div class="wp-block-surecart-cart-icon__container"> <div class="wp-block-surecart-cart-icon__icon" aria-label="购物车按钮。."> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"> <path d="M6 2L3 6v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2V6l-3-4z" /> <line x1="3" y1="6" x2="21" y2="6" /> <path d="M16 10a4 4 0 0 1-8 0" /> </svg> </div> <span class="wp-block-surecart-cart-icon__count" data-wp-text="state.itemsCount" data-wp-bind--aria-label="state.itemsCountAriaLabel" >0</span> </div> </div><script src="https://wp-security.org/wp-includes/js/dist/url.min.js?ver=9e178c9516d1222dc834" id="wp-url-js"></script>
<script src="https://wp-security.org/wp-includes/js/dist/hooks.min.js?ver=dd5603f07f9220ed27f1" id="wp-hooks-js"></script>
<script src="https://wp-security.org/wp-includes/js/dist/i18n.min.js?ver=c26c3dc7bed366793375" id="wp-i18n-js"></script>
<script id="wp-i18n-js-after">
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
//# sourceURL=wp-i18n-js-after
</script>
<script id="wp-api-fetch-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "default", {"translation-revision-date":"2026-04-01 20:39:14+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=1; plural=0;","lang":"zh_CN"},"The response is not a valid JSON response.":["\u6b64\u54cd\u5e94\u4e0d\u662f\u5408\u6cd5\u7684 JSON \u54cd\u5e94\u3002"],"Media upload failed. If this is a photo or a large image, please scale it down and try again.":["\u5a92\u4f53\u4e0a\u4f20\u5931\u8d25\u3002\u5982\u679c\u8fd9\u662f\u4e00\u5f20\u8f83\u5927\u7684\u7167\u7247\u6216\u56fe\u7247\uff0c\u8bf7\u5c06\u5176\u7f29\u5c0f\u5e76\u91cd\u65b0\u4e0a\u4f20\u3002"],"Unable to connect. Please check your Internet connection.":["\u65e0\u6cd5\u8fde\u63a5\u3002\u8bf7\u68c0\u67e5\u60a8\u7684\u4e92\u8054\u7f51\u8fde\u63a5\u3002"],"Could not get a valid response from the server.":["\u65e0\u6cd5\u4ece\u670d\u52a1\u5668\u83b7\u53d6\u6709\u6548\u54cd\u5e94\u3002"]}},"comment":{"reference":"wp-includes\/js\/dist\/api-fetch.js"}} );
//# sourceURL=wp-api-fetch-js-translations
</script>
<script src="https://wp-security.org/wp-includes/js/dist/api-fetch.min.js?ver=3a4d9af2b423048b0dee" id="wp-api-fetch-js"></script>
<script id="wp-api-fetch-js-after">
wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "https://wp-security.org/zh_cn/wp-json/" ) );
wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "72270e053a" );
wp.apiFetch.use( wp.apiFetch.nonceMiddleware );
wp.apiFetch.use( wp.apiFetch.mediaUploadMiddleware );
wp.apiFetch.nonceEndpoint = "https://wp-security.org/wp-admin/admin-ajax.php?action=rest-nonce";
//# sourceURL=wp-api-fetch-js-after
</script>
<script src="https://wp-security.org/wp-includes/js/dist/dom-ready.min.js?ver=f77871ff7694fffea381" id="wp-dom-ready-js"></script>
<script id="wp-a11y-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "default", {"translation-revision-date":"2026-04-01 20:39:14+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=1; plural=0;","lang":"zh_CN"},"Notifications":["\u901a\u77e5"]}},"comment":{"reference":"wp-includes\/js\/dist\/a11y.js"}} );
//# sourceURL=wp-a11y-js-translations
</script>
<script src="https://wp-security.org/wp-includes/js/dist/a11y.min.js?ver=cb460b4676c94bd228ed" id="wp-a11y-js"></script>
<script id="trp-dynamic-translator-js-extra">
var trp_data = {"trp_custom_ajax_url":"https://wp-security.org/wp-content/plugins/translatepress-multilingual/includes/trp-ajax.php","trp_wp_ajax_url":"https://wp-security.org/wp-admin/admin-ajax.php","trp_language_to_query":"zh_CN","trp_original_language":"en_US","trp_current_language":"zh_CN","trp_skip_selectors":["[data-no-translation]","[data-no-dynamic-translation]","[data-trp-translate-id-innertext]","script","style","head","trp-span","translate-press","[data-trp-translate-id]","[data-trpgettextoriginal]","[data-trp-post-slug]"],"trp_base_selectors":["data-trp-translate-id","data-trpgettextoriginal","data-trp-post-slug"],"trp_attributes_selectors":{"text":{"accessor":"outertext","attribute":false},"block":{"accessor":"innertext","attribute":false},"image_src":{"selector":"img[src]","accessor":"src","attribute":true},"submit":{"selector":"input[type='submit'],input[type='button'], input[type='reset']","accessor":"value","attribute":true},"placeholder":{"selector":"input[placeholder],textarea[placeholder]","accessor":"placeholder","attribute":true},"title":{"selector":"[title]","accessor":"title","attribute":true},"a_href":{"selector":"a[href]","accessor":"href","attribute":true},"button":{"accessor":"outertext","attribute":false},"option":{"accessor":"innertext","attribute":false},"aria_label":{"selector":"[aria-label]","accessor":"aria-label","attribute":true},"video_src":{"selector":"video[src]","accessor":"src","attribute":true},"video_poster":{"selector":"video[poster]","accessor":"poster","attribute":true},"video_source_src":{"selector":"video source[src]","accessor":"src","attribute":true},"audio_src":{"selector":"audio[src]","accessor":"src","attribute":true},"audio_source_src":{"selector":"audio source[src]","accessor":"src","attribute":true},"picture_image_src":{"selector":"picture image[src]","accessor":"src","attribute":true},"picture_source_srcset":{"selector":"picture source[srcset]","accessor":"srcset","attribute":true}},"trp_attributes_accessors":["outertext","innertext","src","value","placeholder","title","href","aria-label","poster","srcset"],"gettranslationsnonceregular":"b3ba52ef04","showdynamiccontentbeforetranslation":"","skip_strings_from_dynamic_translation":[],"skip_strings_from_dynamic_translation_for_substrings":{"href":["amazon-adsystem","googleads","g.doubleclick"]},"duplicate_detections_allowed":"100","trp_translate_numerals_opt":"no","trp_no_auto_translation_selectors":["[data-no-auto-translation]"]};
//# sourceURL=trp-dynamic-translator-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/translatepress-multilingual/assets/js/trp-translate-dom-changes.js?ver=3.1.8" id="trp-dynamic-translator-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/assets/js/_scripts.js?ver=3.0.7" id="powerkit-js"></script>
<script src="https://wp-security.org/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1.5" id="swv-js"></script>
<script id="contact-form-7-js-translations">
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "contact-form-7", {"translation-revision-date":"2024-09-10 17:33:27+0000","generator":"GlotPress\/4.0.3","domain":"messages","locale_data":{"messages":{"":{"domain":"messages","plural-forms":"nplurals=1; plural=0;","lang":"zh_CN"},"Error:":["\u62a5\u9519\uff1a"]}},"comment":{"reference":"includes\/js\/index.js"}} );
//# sourceURL=contact-form-7-js-translations
</script>
<script id="contact-form-7-js-before">
var wpcf7 = {
    "api": {
        "root": "https:\/\/wp-security.org\/zh_cn\/wp-json\/",
        "namespace": "contact-form-7\/v1"
    },
    "cached": 1
};
//# sourceURL=contact-form-7-js-before
</script>
<script src="https://wp-security.org/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1.5" id="contact-form-7-js"></script>
<script id="disqus_count-js-extra">
var countVars = {"disqusShortname":"wp-security-org"};
//# sourceURL=disqus_count-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/disqus-comment-system/public/js/comment_count.js?ver=3.1.4" id="disqus_count-js"></script>
<script id="disqus_embed-js-extra">
var embedVars = {"disqusConfig":{"integration":"wordpress 3.1.4 6.9.4"},"disqusIdentifier":"3543 https://wp-security.org/uncategorized/community-alert-xss-in-json-importercve202515363/","disqusShortname":"wp-security-org","disqusTitle":"Community Alert XSS in JSON Importer(CVE202515363)","disqusUrl":"https://wp-security.org/zh_cn/vulnerability-database/community-alert-xss-in-json-importercve202515363/","postId":"3543"};
//# sourceURL=disqus_embed-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/disqus-comment-system/public/js/comment_embed.js?ver=3.1.4" id="disqus_embed-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/basic-elements/public/js/public-powerkit-basic-elements.js?ver=4.0.0" id="powerkit-basic-elements-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/justified-gallery/block/jquery.justifiedGallery.min.js?ver=2.5.2" id="justifiedgallery-js"></script>
<script id="powerkit-justified-gallery-js-extra">
var powerkitJG = {"rtl":""};
//# sourceURL=powerkit-justified-gallery-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/justified-gallery/public/js/public-powerkit-justified-gallery.js?ver=3.0.7" id="powerkit-justified-gallery-js"></script>
<script src="https://wp-security.org/wp-includes/js/imagesloaded.min.js?ver=5.0.0" id="imagesloaded-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/lightbox/public/js/glightbox.min.js?ver=3.0.7" id="glightbox-js"></script>
<script id="powerkit-lightbox-js-extra">
var powerkit_lightbox_localize = {"text_previous":"Previous","text_next":"Next","text_close":"Close","text_loading":"Loading","text_counter":"of","single_image_selectors":".entry-content img,.single .post-media img","gallery_selectors":".wp-block-gallery,.gallery","exclude_selectors":".sight-portfolio-area","zoom_icon":"1"};
//# sourceURL=powerkit-lightbox-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/lightbox/public/js/public-powerkit-lightbox.js?ver=3.0.7" id="powerkit-lightbox-js"></script>
<script id="powerkit-opt-in-forms-js-extra">
var opt_in = {"ajax_url":"https://wp-security.org/wp-admin/admin-ajax.php","warning_privacy":"Please confirm that you agree with our policies.","is_admin":"","server_error":"Server error occurred. Please try again later."};
//# sourceURL=powerkit-opt-in-forms-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/opt-in-forms/public/js/public-powerkit-opt-in-forms.js?ver=3.0.7" id="powerkit-opt-in-forms-js"></script>
<script async="async" defer="defer" src="//assets.pinterest.com/js/pinit.js?ver=6.9.4" id="powerkit-pinterest-js"></script>
<script id="powerkit-pin-it-js-extra">
var powerkit_pinit_localize = {"image_selectors":".entry-content img","exclude_selectors":".cnvs-block-row,.cnvs-block-section,.cnvs-block-posts .entry-thumbnail,.cnvs-post-thumbnail,.pk-block-author,.pk-featured-categories img,.pk-inline-posts-container img,.pk-instagram-image,.pk-subscribe-image,.wp-block-cover,.pk-block-posts,.sight-portfolio-entry-link-page","only_hover":"1"};
//# sourceURL=powerkit-pin-it-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/pinterest/public/js/public-powerkit-pin-it.js?ver=3.0.7" id="powerkit-pin-it-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/scroll-to-top/public/js/public-powerkit-scroll-to-top.js?ver=3.0.7" id="powerkit-scroll-to-top-js"></script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/share-buttons/public/js/public-powerkit-share-buttons.js?ver=3.0.7" id="powerkit-share-buttons-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/slider-gallery/block/flickity.pkgd.min.js?ver=2.5.2" id="flickity-js"></script>
<script id="powerkit-slider-gallery-js-extra">
var powerkit_sg_flickity = {"page_info_sep":" of "};
//# sourceURL=powerkit-slider-gallery-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/slider-gallery/public/js/public-powerkit-slider-gallery.js?ver=3.0.7" id="powerkit-slider-gallery-js"></script>
<script id="powerkit-table-of-contents-js-extra">
var powerkit_toc_config = {"label_show":"Show","label_hide":"Hide"};
//# sourceURL=powerkit-table-of-contents-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/powerkit/modules/table-of-contents/public/js/public-powerkit-table-of-contents.js?ver=3.0.7" id="powerkit-table-of-contents-js"></script>
<script src="https://wp-security.org/wp-content/plugins/sight/render/js/jquery.magnific-popup.min.js?ver=1774098503" id="magnific-popup-js"></script>
<script id="sight-block-script-js-extra">
var sight_lightbox_localize = {"text_previous":"Previous","text_next":"Next","text_close":"Close","text_loading":"Loading","text_counter":"of"};
//# sourceURL=sight-block-script-js-extra
</script>
<script src="https://wp-security.org/wp-content/plugins/sight/render/js/sight.js?ver=1774098503" id="sight-block-script-js"></script>
<script src="https://wp-security.org/wp-content/plugins/kirki/assets/js/kirki.min.js?ver=6.0.3" id="kirki-js"></script>
<script src="https://wp-security.org/wp-content/plugins/canvas/components/posts/block-posts/colcade.js?ver=2.5.2" id="colcade-js"></script>
<script src="https://wp-security.org/wp-content/themes/squaretype/js/ofi.min.js?ver=3.2.3" id="object-fit-images-js"></script>
<script id="csco-scripts-js-extra">
var csco_mega_menu = {"rest_url":"https://wp-security.org/zh_cn/wp-json/csco/v1/menu-posts","current_lang":"","current_locale":"zh_CN"};
//# sourceURL=csco-scripts-js-extra
</script>
<script src="https://wp-security.org/wp-content/themes/squaretype/js/scripts.js?ver=3.1.1" id="csco-scripts-js"></script>
<script src="https://wp-security.org/wp-includes/js/comment-reply.min.js?ver=6.9.4" id="comment-reply-js" async data-wp-strategy="async" fetchpriority="low"></script>
<script id="wp-emoji-settings" type="application/json">
{"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://wp-security.org/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4"}}
</script>
<script type="module">
/*! This file is auto-generated */
const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))});
//# sourceURL=https://wp-security.org/wp-includes/js/wp-emoji-loader.min.js
</script>
<div style="position:absolute;margin:-1px;padding:0;height:1px;width:1px;overflow:hidden;clip-path:inset(50%);border:0;word-wrap:normal !important;"><p id="a11y-speak-intro-text" class="a11y-speak-intro-text" hidden data-no-translation="" data-trp-gettext="">通知</p><div id="a11y-speak-assertive" class="a11y-speak-region" aria-live="assertive" aria-relevant="additions text" aria-atomic="true"></div><div id="a11y-speak-polite" class="a11y-speak-region" aria-live="polite" aria-relevant="additions text" aria-atomic="true"></div></div>
        <!-- Usermaven - privacy-friendly analytics tool -->
        <script type="text/javascript">
            (function () {
                window.usermaven = window.usermaven || (function () { (window.usermavenQ = window.usermavenQ || []).push(arguments); })
                var t = document.createElement('script'),
                    s = document.getElementsByTagName('script')[0];
                t.defer = true;
                t.id = 'um-tracker';
                t.setAttribute('data-tracking-host', 'https://u.wp-security.org');
                t.setAttribute('data-key', 'UMZaYew9Sp');
                t.setAttribute('data-autocapture', 'true');                                                t.setAttribute('data-randomize-url', 'true');
                t.src = 'https://u.wp-security.org/lib.js';
                s.parentNode.insertBefore(t, s);
            })();
        </script>
        <!-- / Usermaven -->


        
        
<nav
    class="trp-language-switcher trp-floating-switcher trp-ls-dropdown trp-switcher-position-bottom"
    style="--bg:#ffffffb2;--bg-hover:#0000000d;--text:#000000;--text-hover:#000000;--border:1px solid transparent;--border-radius:8px 8px 0px 0px;--flag-radius:2px;--flag-size:20px;--aspect-ratio:4/3;--font-size:16px;--switcher-width:auto;--switcher-padding:10px 0;--transition-duration:0.2s;--bottom:0px;--right:10vw"
    role="navigation"
    aria-label="网站语言选择器"
    data-no-translation
>
    
            <div class="trp-language-switcher-inner">
            <div class="trp-language-item trp-language-item__current" title="Chinese (China)" role="button" tabindex="0" aria-expanded="false" aria-label="Change language" aria-controls="trp-switcher-dropdown-list" data-no-translation><span class="trp-language-item-name">Chinese (China)</span></div>
            <div
                class="trp-switcher-dropdown-list"
                id="trp-switcher-dropdown-list"
                role="group"
                aria-label="可用语言"
                hidden
 inert
>
                                    <a href="https://wp-security.org/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="English" data-no-translation><span class="trp-language-item-name">English</span></a>                                    <a href="https://wp-security.org/zh/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Chinese (Hong Kong)" data-no-translation><span class="trp-language-item-name">Chinese (Hong Kong)</span></a>                                    <a href="https://wp-security.org/es/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Spanish" data-no-translation><span class="trp-language-item-name">Spanish</span></a>                                    <a href="https://wp-security.org/hi/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="Hindi" data-no-translation><span class="trp-language-item-name">Hindi</span></a>                                    <a href="https://wp-security.org/fr/vulnerability-database/community-alert-xss-in-json-importercve202515363/" class="trp-language-item" title="French" data-no-translation><span class="trp-language-item-name">French</span></a>                            </div>
        </div>

    </nav>
	<script type="text/javascript">
		"use strict";

		(function($) {

			$( window ).on( 'load', function() {

				// Each All Share boxes.
				$( '.pk-share-buttons-mode-rest' ).each( function() {

					var powerkitButtonsIds = [],
						powerkitButtonsBox = $( this );

					// Check Counts.
					if ( ! powerkitButtonsBox.hasClass( 'pk-share-buttons-has-counts' ) && ! powerkitButtonsBox.hasClass( 'pk-share-buttons-has-total-counts' ) ) {
						return;
					}

					powerkitButtonsBox.find( '.pk-share-buttons-item' ).each( function() {
						if ( $( this ).attr( 'data-id' ).length > 0 ) {
							powerkitButtonsIds.push( $( this ).attr( 'data-id' ) );
						}
					});

					// Generate accounts data.
					var powerkitButtonsData = {};

					if( powerkitButtonsIds.length > 0 ) {
						powerkitButtonsData = {
							'ids'     : powerkitButtonsIds.join(),
							'post_id' : powerkitButtonsBox.attr( 'data-post-id' ),
							'url'     : powerkitButtonsBox.attr( 'data-share-url' ),
						};
					}

					// Get results by REST API.
					$.ajax({
						type: 'GET',
						url: 'https://wp-security.org/zh_cn/wp-json/social-share/v1/get-shares',
						data: powerkitButtonsData,
						beforeSend: function(){

							// Add Loading Class.
							powerkitButtonsBox.addClass( 'pk-share-buttons-loading' );
						},
						success: function( response ) {

							if ( ! $.isEmptyObject( response ) && ! response.hasOwnProperty( 'code' ) ) {

								// Accounts loop.
								$.each( response, function( index, data ) {

									if ( index !== 'total_count' ) {

										// Find Bsa Item.
										var powerkitButtonsItem = powerkitButtonsBox.find( '.pk-share-buttons-item[data-id="' + index + '"]');

										// Set Count.
										if ( data.hasOwnProperty( 'count' ) && data.count  ) {

											powerkitButtonsItem.removeClass( 'pk-share-buttons-no-count' ).addClass( 'pk-share-buttons-item-count' );
											powerkitButtonsItem.find( '.pk-share-buttons-count' ).html( data.count );

										} else {
											powerkitButtonsItem.addClass( 'pk-share-buttons-no-count' );
										}
									}
								});

								if ( powerkitButtonsBox.hasClass( 'pk-share-buttons-has-total-counts' ) && response.hasOwnProperty( 'total_count' ) ) {
									var powerkitButtonsTotalBox = powerkitButtonsBox.find( '.pk-share-buttons-total' );

									if ( response.total_count ) {
										powerkitButtonsTotalBox.find( '.pk-share-buttons-count' ).html( response.total_count );
										powerkitButtonsTotalBox.show().removeClass( 'pk-share-buttons-total-no-count' );
									}
								}
							}

							// Remove Loading Class.
							powerkitButtonsBox.removeClass( 'pk-share-buttons-loading' );
						},
						error: function() {

							// Remove Loading Class.
							powerkitButtonsBox.removeClass( 'pk-share-buttons-loading' );
						}
					});
				});
			});

		})(jQuery);
	</script>
	</body>
</html>
<!--
Performance optimized by Redis Object Cache. Learn more: https://wprediscache.com

使用 PhpRedis (v6.3.0) 从 Redis 检索了 10743 个对象 (1 MB)。
-->

社区警报：JSON 导入器中的 XSS（CVE202515363）

JSON Content Importer < 2.0.10 — Contributor+ Stored XSS (CVE‑2025‑15363)

快速总结（tl;dr）

为什么存储型 XSS 在 WordPress 中很重要

这种特定漏洞的工作原理 — 高级别

现实的利用场景

立即行动清单 — 现在该做什么（0–72 小时）

How to detect if you’ve been targeted / exploited