CVE-2025-62739

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress plugin Add Custom Codes, versions from n/a through 4.80. The plugin fails to validate or verify requests made by authenticated users, allowing an attacker to craft malicious requests that are executed under the identity of a higher-privileged user [1].

Exploitation

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress site. No additional authentication is needed for the attacker beyond the victim's existing session [1].

Impact

Successful exploitation allows an attacker to force the victim to perform unintended actions within the plugin'such as modifying plugin settings, adding malicious code, or other administrative operations'within the context of the victim's session. This can lead to partial loss of integrity and availability, though the CVSS score of 6.5 (Medium) reflects a moderate impact [1].

Mitigation

The vulnerability is patched in version 5.0 or later. Users are strongly advised to update immediately. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].