CVE-2025-62108

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through <= 4.80.

Analysis

Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.

Technical Context

The SaifuMak Add Custom Codes plugin (CPE implied: wordpress-plugins/add-custom-codes) is a WordPress add-on designed to allow administrators to inject custom HTML, CSS, and JavaScript code into WordPress sites. The vulnerability arises from improper implementation of access control checks (CWE-862: Missing Authorization), a class of flaws where applications fail to verify that the user attempting an action has the necessary permissions. In WordPress plugin architecture, this typically manifests as missing or incorrectly implemented capability checks (e.g., `current_user_can()` functions) on admin-facing AJAX endpoints, REST API routes, or form handlers. An attacker exploiting this flaw can bypass the intended permission model to access or modify protected code injection settings without proper credentials.

Affected Products

SaifuMak Add Custom Codes WordPress plugin, versions through 4.80. The vulnerability affects all installations of the add-custom-codes plugin up to and including version 4.80, with no minimum version explicitly excluded in the advisory data. WordPress sites using this plugin for custom code injection are at risk regardless of site configuration or user role, provided the access control bypass is exploitable.

Remediation

Update the SaifuMak Add Custom Codes plugin to a patched version higher than 4.80 when available via the WordPress plugin directory or the vendor's official distribution channel. Check the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/add-custom-codes/) for the latest patched release. If an update is not yet available, disable the plugin temporarily or restrict access to the plugin's settings by limiting WordPress administrator roles using role management tools. Review WordPress user permissions and audit access logs to detect unauthorized changes to injected custom code during the time the vulnerability was exposed.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-62108 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy