CVE-2025-39601 CRITICAL

CVE-2025-39601: WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability

Vendor Wpfactory
Product Custom CSS, JS & PHP
Weakness CWE-352 · CSRF
Published April 16, 2025
Last update May 12, 2026

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows Remote Code Inclusion.This issue affects Custom CSS, JS & PHP: from n/a through <= 2.4.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Custom CSS, JS & PHP plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting versions up to 2.4.1. An attacker can trick a site administrator into performing unwanted actions—such as modifying plugin settings, injecting malicious code, or changing site configuration—by crafting a malicious link or page. The vulnerability requires the admin to visit the attacker's page while logged into WordPress.

What an attacker can do

03Attacker Capabilities

Trick a logged-in admin into modifying plugin settings, injecting code, or changing site configuration without their knowledge.

Potential impact on your site

04Site Impact

An attacker can modify your site's custom CSS, JavaScript, or PHP code, potentially injecting malware or defacing your site.

Conditions required to exploit

05Prerequisites

Admin must be logged into WordPress and visit a page controlled by the attacker (e.g., via a malicious link).

Key dates

06Disclosure timeline

April 16, 2025 CVE published
May 12, 2026 Record updated

Related vulnerabilities

08Related CVE