Plugin WordPress Add Custom Codes <= 4.80 - Vulnérabilité Cross Site Request Forgery (CSRF)

This CSRF vulnerability allows an attacker to trick an authenticated user into unknowingly performing actions they did not intend. For example, an attacker could craft a malicious link that, when clicked by a logged-in user, modifies settings, creates new content, or performs other actions within the Add Custom Codes plugin. The blast radius is limited to the user's privileges within the WordPress site, but a site administrator's account could lead to significant compromise. Successful exploitation requires the user to be logged in and interact with the malicious link.

WordPress websites utilizing the SaifuMak Add Custom Codes plugin, particularly those running versions 0.0.0 through 4.80, are at risk. Shared hosting environments where plugin updates are managed centrally are also potentially vulnerable if they have not been updated.

• wordpress / composer / npm:

grep -r 'add_custom_codes' /var/www/html/wp-content/plugins/

• wordpress / composer / npm:

wp plugin list --status=inactive | grep add_custom_codes

• wordpress / composer / npm:

curl -I https://example.com/wp-content/plugins/add-custom-codes/ | grep -i 'add-custom-codes'

1. 2025-12-09Disclosure

   disclosure

1. Réservé2025-10-21
2. Publiée2025-12-09
3. Modifiée2026-04-28
4. EPSS mis à jour2026-03-23

The primary mitigation is to upgrade SaifuMak Add Custom Codes to version 5.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Additionally, implement strict input validation and output encoding to minimize the impact of any potential CSRF attempts. Monitor WordPress access logs for suspicious requests originating from unfamiliar sources.

Installations actives

1KNiche

Note du plugin