CVE-2023-5126

Vulnerability

The Delete Me plugin for WordPress versions up to and including 3.0 are vulnerable to stored cross-site scripting (XSS) via the plugin_delete_me shortcode. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes passed to the shortcode. This allows authenticated users with contributor-level access or higher to inject arbitrary web scripts.

Exploitation

An attacker with at least contributor-level permissions can inject malicious JavaScript code into the shortcode attributes, such as class, style, html, or js_confirm_warning. When a user (other than an administrator) accesses a page containing the crafted shortcode, the injected script executes in the context of the victim's browser. The shortcode is intentionally not displayed to administrators, protecting them from exploitation.

Impact

Successful exploitation leads to arbitrary script execution in the contexts of users who view pages containing the malicious shortcode. This can result in session hijacking, defacement, or theft of sensitive information. The attack is limited to non-administrator users, but contributors, authors, editors, and other roles are vulnerable.

Mitigation

The vulnerability was addressed in version 3.1 of the Delete Me plugin, released on 2023-11-11, which added output sanitization to all editable settings. Users should update to version 3.2 or later. As of this writing, no workarounds are available; the only mitigation is to update the plugin. References [1] and [2] provide details on the fix and the vulnerable code.