CVE-2015-6805

MDC Private Message 1.0.0 - Authenticated Stored Cross-Site Scripting via Message Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6805. PoCs published by Chris Kellum.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in the WordPress MDC Private Message plugin version 1.0.0. The 'message' field fails to sanitize user input, allowing attackers to inject malicious scripts that execute when viewed by an administrator.

Description

Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.

Exploits (1)

exploitdb WORKING POC

by Chris Kellum · textwebappsphp

https://www.exploit-db.com/exploits/37907

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in the WordPress MDC Private Message plugin version 1.0.0. The 'message' field fails to sanitize user input, allowing attackers to inject malicious scripts that execute when viewed by an administrator.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress MDC Private Message Plugin 1.0.0

Auth required

Prerequisites: Access to a user account with permissions to send private messages (e.g., Editor, Author)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37907/

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/8154

Scores

EPSS 0.0239

EPSS Percentile 81.8%

Details

CWE

CWE-79

Status published

Products (1)

medhabidotcom/mdc_private_message 1.0.0

Published Sep 02, 2015

Tracked Since Feb 18, 2026