WordPress Plugin Vulnerabilities

Delete Me < 3.1 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description

The plugin does not validate and escape some of its attributes for the plugin_delete_me shortcode before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
delete-me
Fixed in 3.1

References

CVE
CVE-2023-5126
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/delete-me/delete-me-30-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
2d93720b-2733-4947-95e8-9d390806af03

Timeline

Publicly Published
2023-10-23 (about 2 years ago)
Added
2023-10-25 (about 2 years ago)
Last Updated
2023-11-20 (about 2 years ago)

Other

Published
Title
Published
2024-06-05
Title
Colibri Page Builder < 1.0.277 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-03-29
Title
DD Rating <= 1.7.1 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-04-22
Title
Colibri Page Builder < 1.0.272 - Contributor+ Stored Cross-Site Scripting via the plugin's 'colibri_breadcrumb_element' shortcode
Published
2025-03-05
Title
Greek Multi Tool < 2.3.2 - Unauthenticated Stored XSS
Published
2022-06-08
Title
Copify <= 1.3.0 - Stored Cross-Site Scripting via CSRF