CVE-2015-6805

Vulnerability

The MDC Private Message plugin 1.0.0 for WordPress contains a stored cross-site scripting (XSS) vulnerability in the private message message field. The plugin fails to sanitize user input before storing it, allowing any authenticated user with message-sending privileges (e.g., Editor, Author) to inject arbitrary web script or HTML [1]. The vulnerability is present in version 1.0.0 and was fixed in version 1.0.1 [1].

Exploitation

An attacker needs to be an authenticated WordPress user with the ability to send private messages. The attacker composes a private message and places malicious JavaScript (e.g., ``) in the message field. When the recipient (typically an Administrator) opens the message, the injected script executes in the context of the recipient's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the message recipient. This can lead to session hijacking, privilege escalation, or further compromise of the WordPress site, as the script can read cookies, modify page content, or perform administrative actions on behalf of the victim [1].

Mitigation

The vulnerability was patched in version 1.0.1, released on August 19, 2015 [1]. Users should upgrade to version 1.0.1 or later immediately. No workaround is available for the vulnerable version.