CVE-2023-5126 in Delete Me Plugininfo

Summary

by MITRE • 10/25/2023

The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot be used against administrator users.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/11/2026

The CVE-2023-5126 vulnerability affects the Delete Me plugin for WordPress, specifically versions up to and including 3.0, presenting a significant security risk through stored cross-site scripting exploitation. This vulnerability resides within the plugin's 'plugin_delete_me' shortcode implementation, where inadequate input sanitization and output escaping mechanisms fail to properly validate or escape user-supplied attributes. The flaw allows authenticated attackers who possess contributor-level permissions or higher to inject malicious web scripts into WordPress pages, creating a persistent threat that executes whenever any user accesses pages containing the injected code. The vulnerability's impact is particularly concerning given that it requires only relatively low-level user privileges to exploit, making it accessible to users who should normally have limited administrative capabilities within the WordPress environment.

The technical nature of this vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws occurring when untrusted data is improperly escaped before being inserted into web pages. The vulnerability operates through a stored XSS vector because the malicious scripts are persisted in the database rather than being executed only during a single request. Attackers can leverage this weakness by crafting malicious shortcode parameters containing JavaScript code, which gets stored and subsequently executed in the context of other users' browsers when they view affected pages. This creates a potential for session hijacking, credential theft, or redirection to malicious websites, depending on the sophistication of the injected payload. The vulnerability's persistence stems from the fact that the malicious code remains stored within the WordPress content, making it a long-term threat that continues to affect users until the malicious content is removed.

The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged to compromise the integrity of the entire WordPress installation. Attackers with contributor access can systematically target other users within the site, potentially escalating their access through the exploitation of other vulnerabilities or by using the stored XSS to capture credentials from less privileged users. The fact that the shortcode is not displayed to administrators provides some protection against direct exploitation of admin accounts, but does not eliminate the risk entirely since administrators may still be subject to attacks through other vectors or by targeting users who interact with the administrator's content. This vulnerability undermines the principle of least privilege by allowing users with limited permissions to create persistent threats that can affect any user who accesses the compromised pages.

Mitigation strategies for CVE-2023-5126 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies, as well as implementing comprehensive input validation for all user-supplied data. Organizations should also consider restricting contributor-level user permissions to prevent unauthorized exploitation, while implementing content security policies to limit the execution of unauthorized scripts. Additionally, regular security audits should be conducted to identify and remediate similar vulnerabilities in other plugins or themes, as this type of flaw represents a common pattern in WordPress security vulnerabilities. The ATT&CK framework categorizes this type of vulnerability under T1548.001, which covers abuse of credentials and privilege escalation through web application vulnerabilities, making it a critical target for both defensive and offensive security operations.

Responsible

Wordfence

Reservation

09/22/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00445

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!