CVE-2025-62108

Root

Cause The Add Custom Codes plugin for WordPress, versions up to and including 4.80, suffers from a missing authorization vulnerability [1]. The software fails to adequately verify user permissions before granting access to sensitive functions, effectively bypassing the intended access control security levels [1].

Exploitation

The vulnerability is categorized as a broken access control issue, meaning an unauthenticated or low-privileged attacker can execute actions that should be reserved for higher-privileged users such as administrators [1]. The attack surface is the WordPress admin interface, and no special network position is required beyond being able to send HTTP requests to the vulnerable site. Exploitation does not require authentication for the targeted higher privilege, though the attacker must be able to interact with the plugin's functions [1].

Impact

An attacker exploiting this flaw can perform actions that modify custom code on the site, potentially leading to arbitrary code execution, site defacement, or injection of malicious scripts [1]. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or popularity [1].

Mitigation

The issue has been addressed in version 5.0 of the plugin; users are strongly advised to update immediately [1]. If updating is not possible, administrators should seek assistance from their hosting provider or web developer to apply alternative controls [1]. The vendor considers this a low-severity issue, but given its use in automated attacks, timely patching is critical [1].