Platform
wordpress
Component
add-custom-codes
Fixed in
4.80.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in SaifuMak Add Custom Codes, potentially allowing attackers to execute unauthorized actions. This vulnerability impacts versions ranging from 0.0.0 through 4.80. The issue has been resolved in version 5.0, and users are strongly advised to upgrade.
This CSRF vulnerability allows an attacker to trick an authenticated user into unknowingly performing actions they did not intend. For example, an attacker could craft a malicious link that, when clicked by a logged-in user, modifies settings, creates new content, or performs other actions within the Add Custom Codes plugin. The blast radius is limited to the user's privileges within the WordPress site, but a site administrator's account could lead to significant compromise. Successful exploitation requires the user to be logged in and interact with the malicious link.
CVE-2025-62739 was published on 2025-12-09. No public proof-of-concept (POC) code is currently available. The vulnerability's CVSS score of 6.5 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade SaifuMak Add Custom Codes to version 5.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Additionally, implement strict input validation and output encoding to minimize the impact of any potential CSRF attempts. Monitor WordPress access logs for suspicious requests originating from unfamiliar sources.
Update to version 5.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62739 is a Cross-Site Request Forgery vulnerability affecting SaifuMak Add Custom Codes versions 0.0.0–4.80, allowing attackers to perform unauthorized actions.
You are affected if your WordPress site uses SaifuMak Add Custom Codes version 0.0.0 through 4.80. Upgrade to version 5.0 to mitigate the risk.
Upgrade SaifuMak Add Custom Codes to version 5.0 or later. Consider implementing a Content Security Policy (CSP) as an additional layer of defense.
There is no current evidence of active exploitation, but the vulnerability's medium severity warrants prompt remediation.
Refer to the SaifuMak plugin documentation and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.