CVE-2025-49342

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

Tags

WordPress PHP CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in merzedes Custom Style custom-style allows Stored XSS.This issue affects Custom Style: from n/a through <= 1.0.

Analysis

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

Technical Context

The vulnerability stems from insufficient CSRF token validation in the Custom Style WordPress plugin, classified under CWE-352 (Cross-Site Request Forgery). The plugin fails to implement or properly validate nonce-based protections on administrative functions that modify styling settings. This allows attackers to craft malicious requests that, when clicked by an authenticated WordPress administrator, execute unintended actions without explicit consent. The stored XSS component indicates that CSRF-vulnerable endpoints accept unsanitized input that persists in the database, enabling secondary payload injection.

Affected Products

The Custom Style WordPress plugin from its initial release through version 1.0 is affected. No specific CPE identifier was provided in available data. The plugin is distributed through the WordPress plugin ecosystem; affected users can identify the plugin by the name 'custom-style' as referenced in the Patchstack vulnerability database entry.

Remediation

Update the Custom Style plugin to a patched version beyond 1.0 if available from the plugin developer. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability for the specific fixed version and installation instructions. In the interim, restrict administrative access to trusted accounts, enable WordPress security plugins that provide CSRF detection, and monitor admin activity logs for unauthorized style changes. If the plugin author has not released a patch, consider disabling or removing the plugin pending an official update.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49342 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy