CVE-2025-58704 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'WP Delete User Accounts' developed by Ren Ventura. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be stored and subsequently executed in the context of users viewing affected pages. The vulnerability impacts all versions up to 1.2.4 of the plugin. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network (AV:N) with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the security scope of the vulnerable component. The impact affects confidentiality, integrity, and availability at a low level each (C:L/I:L/A:L). Stored XSS vulnerabilities allow attackers to inject malicious JavaScript payloads that persist on the server and execute in the browsers of users who visit the compromised pages. This can lead to session hijacking, privilege escalation, defacement, or distribution of malware. Since the vulnerability requires some level of privilege and user interaction, exploitation is somewhat constrained but still poses a significant risk, especially to administrators or users with elevated rights who interact with the plugin's interface. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on vendor updates or manual code review and sanitization. The vulnerability is particularly relevant for WordPress sites utilizing the WP Delete User Accounts plugin, which is designed to manage user account deletions.

For European organizations, this vulnerability presents a moderate risk, especially for those relying on WordPress websites with the WP Delete User Accounts plugin installed. Exploitation could lead to unauthorized script execution within the context of administrative or user sessions, potentially compromising sensitive user data, including personal information protected under GDPR. The ability to alter page content or execute scripts could facilitate phishing attacks, session hijacking, or unauthorized actions on behalf of legitimate users, undermining trust and compliance. Given the medium severity and requirement for some privileges and user interaction, the threat is more pronounced in environments where multiple users with varying privilege levels access the WordPress admin interface. Organizations with public-facing websites or customer portals using this plugin could face reputational damage, data breaches, or service disruptions. Additionally, the scope change in the vulnerability indicates that the impact could extend beyond the plugin itself, potentially affecting other components or data within the WordPress ecosystem. This risk necessitates prompt attention to prevent exploitation that could lead to broader compromise within organizational web infrastructure.

1. Immediate mitigation should include auditing all WordPress installations for the presence of the WP Delete User Accounts plugin and identifying versions up to 1.2.4. 2. Until an official patch is released, implement manual input validation and output encoding on all user-supplied data processed by the plugin, focusing on neutralizing HTML and JavaScript content to prevent script injection. 3. Restrict plugin access strictly to trusted administrators and limit the number of users with privileges to interact with the plugin interface. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block typical XSS payloads targeting the plugin's endpoints. 5. Monitor logs for unusual activities or repeated attempts to inject scripts via the plugin. 6. Educate users with access about the risks of clicking on suspicious links or interacting with untrusted content within the WordPress admin area. 7. Once available, promptly apply official patches or updates from Ren Ventura to remediate the vulnerability. 8. Consider deploying Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. 9. Regularly backup WordPress sites and databases to enable quick recovery in case of compromise.