CVE-2025-58704

Vulnerability

Overview

The WP Delete User Accounts plugin for WordPress versions 1.2.4 and earlier contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed when other users, including site visitors, access the affected page.

Exploitation

Prerequisites

Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The attacker does not need direct access to the site but must convince a privileged user to interact with the malicious payload. Once triggered, the injected script persists in the application, affecting all subsequent visitors.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML content [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously.

Mitigation

The vendor has not released a patched version as of the publication date. Users are strongly advised to update the plugin immediately if a fix becomes available. As a workaround, consider disabling the plugin or restricting access to its administrative functions until a patch is applied [1].