Skip to main content

CVE-2025-49342

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in merzedes Custom Style custom-style allows Stored XSS.This issue affects Custom Style: from n/a through <= 1.0.

AnalysisAI

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

Technical ContextAI

The vulnerability stems from insufficient CSRF token validation in the Custom Style WordPress plugin, classified under CWE-352 (Cross-Site Request Forgery). The plugin fails to implement or properly validate nonce-based protections on administrative functions that modify styling settings. This allows attackers to craft malicious requests that, when clicked by an authenticated WordPress administrator, execute unintended actions without explicit consent. The stored XSS component indicates that CSRF-vulnerable endpoints accept unsanitized input that persists in the database, enabling secondary payload injection.

Affected ProductsAI

The Custom Style WordPress plugin from its initial release through version 1.0 is affected. No specific CPE identifier was provided in available data. The plugin is distributed through the WordPress plugin ecosystem; affected users can identify the plugin by the name 'custom-style' as referenced in the Patchstack vulnerability database entry.

RemediationAI

Update the Custom Style plugin to a patched version beyond 1.0 if available from the plugin developer. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability for the specific fixed version and installation instructions. In the interim, restrict administrative access to trusted accounts, enable WordPress security plugins that provide CSRF detection, and monitor admin activity logs for unauthorized style changes. If the plugin author has not released a patch, consider disabling or removing the plugin pending an official update.

Share

CVE-2025-49342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy