Skip to main content

SaifuMak Add Custom Codes CVE-2025-62108

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through <= 4.80.

AnalysisAI

Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.

Technical ContextAI

The SaifuMak Add Custom Codes plugin (CPE implied: wordpress-plugins/add-custom-codes) is a WordPress add-on designed to allow administrators to inject custom HTML, CSS, and JavaScript code into WordPress sites. The vulnerability arises from improper implementation of access control checks (CWE-862: Missing Authorization), a class of flaws where applications fail to verify that the user attempting an action has the necessary permissions. In WordPress plugin architecture, this typically manifests as missing or incorrectly implemented capability checks (e.g., current_user_can() functions) on admin-facing AJAX endpoints, REST API routes, or form handlers. An attacker exploiting this flaw can bypass the intended permission model to access or modify protected code injection settings without proper credentials.

Affected ProductsAI

SaifuMak Add Custom Codes WordPress plugin, versions through 4.80. The vulnerability affects all installations of the add-custom-codes plugin up to and including version 4.80, with no minimum version explicitly excluded in the advisory data. WordPress sites using this plugin for custom code injection are at risk regardless of site configuration or user role, provided the access control bypass is exploitable.

RemediationAI

Update the SaifuMak Add Custom Codes plugin to a patched version higher than 4.80 when available via the WordPress plugin directory or the vendor's official distribution channel. Check the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/add-custom-codes/) for the latest patched release. If an update is not yet available, disable the plugin temporarily or restrict access to the plugin's settings by limiting WordPress administrator roles using role management tools. Review WordPress user permissions and audit access logs to detect unauthorized changes to injected custom code during the time the vulnerability was exposed.

Share

CVE-2025-62108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy