CVE-2025-58704: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress WP Delete User Accounts plugin, identified as CVE-2025-58704. The vulnerability affects versions through 1.2.4 of the plugin and was disclosed on September 22, 2025. The security issue was discovered by researcher Muhammad Yudha - DJ and involves improper neutralization of input during web page generation (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 6.5 (Medium severity). The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating that it requires network access, low attack complexity, low privileges, and user interaction. The scope is changed, with low impacts on confidentiality, integrity, and availability (NVD, Patchstack).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The vulnerability requires contributor-level privileges to exploit (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to and including 1.2.4 of the WP Delete User Accounts plugin (Patchstack).