Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts wp-delete-user-accounts allows Stored XSS.This issue affects WP Delete User Accounts: from n/a through <= 1.2.4.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input neutralization in Ren Ventura WP Delete User Accounts results in stored XSS, allowing an attacker to embed malicious JavaScript that will run in the browsers of any user who views affected content. The injected script can be used to steal credentials, deface the site, or redirect visitors, thereby compromising user confidentiality and integrity. The weakness is a classic Stored XSS, classified as CWE‑79.

Affected Systems

The vulnerability affects the WP Delete User Accounts plugin published by Ren Ventura. All releases up to and including version 1.2.4 are impacted; newer versions are presumed to contain the fix.

Risk and Exploitability

The assigned CVSS score of 6.5 indicates medium severity, while an EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this analysis. The issue is not listed in the CISA KEV catalog. Attackers would likely need access to the plugin’s configuration interface or a means to inject data that is stored and later rendered on the site, so authentication or privileged access is a probable requirement.

Generated by OpenCVE AI on April 30, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Delete User Accounts plugin to a version above 1.2.4, ensuring the stored XSS fix is applied.
  • If an upgrade is not feasible, immediately disable or uninstall the plugin to eliminate the attack surface.
  • After either action, review the database and any stored content for residual malicious scripts and perform a security scan to confirm removal of XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30481 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows Stored XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows Stored XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts wp-delete-user-accounts allows Stored XSS.This issue affects WP Delete User Accounts: from n/a through <= 1.2.4.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows Stored XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.4.
Title WordPress WP Delete User Accounts Plugin <= 1.2.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T01:03:57.417Z

Reserved: 2025-09-03T12:43:12.583Z

Link: CVE-2025-58704

cve-icon Vulnrichment

Updated: 2025-09-23T16:03:58.124Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:21.583

Modified: 2026-04-23T15:33:36.633

Link: CVE-2025-58704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')