CVE-2025-62149

Vulnerability

Overview

The Add Custom Codes plugin for WordPress (versions n/a through 4.80) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed when other users, including site visitors, access the affected page [1].

Exploitation

Prerequisites

Exploitation requires a privileged user role (such as an administrator or editor) to submit crafted input through the plugin's interface. While the attacker must have some level of access, successful execution also depends on a privileged user performing an action — such as clicking a malicious link or submitting a form — which triggers the stored payload [1]. This makes the attack chain reliant on social engineering or existing compromised accounts.

Impact

If exploited, an attacker can inject malicious scripts that may redirect visitors to attacker-controlled sites, display unwanted advertisements, or perform other actions within the security context of the victim's browser [1]. The CVSS v3 base score is 5.9 (Medium), reflecting the need for user interaction and authenticated access [1].

Mitigation

The vendor has released version 5.0, which resolves the vulnerability. Users are strongly advised to update to version 5.0 or later immediately [1]. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].