What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows Remote Code Inclusion.This issue affects Custom CSS, JS & PHP: from n/a through <= 2.4.1.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
What the vulnerability does
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows Remote Code Inclusion.This issue affects Custom CSS, JS & PHP: from n/a through <= 2.4.1.
Explanation of Vulnerability in Simple Terms
The Custom CSS, JS & PHP plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting versions up to 2.4.1. An attacker can trick a site administrator into performing unwanted actions—such as modifying plugin settings, injecting malicious code, or changing site configuration—by crafting a malicious link or page. The vulnerability requires the admin to visit the attacker's page while logged into WordPress.
What an attacker can do
Trick a logged-in admin into modifying plugin settings, injecting code, or changing site configuration without their knowledge.
Potential impact on your site
An attacker can modify your site's custom CSS, JavaScript, or PHP code, potentially injecting malware or defacing your site.
Conditions required to exploit
Admin must be logged into WordPress and visit a page controlled by the attacker (e.g., via a malicious link).
Key dates
External resources
Related vulnerabilities