CVE-2025-62149
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Stored XSS.This issue affects Add Custom Codes: from n/a through <= 4.80.
Analysis
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Technical Context
The Add Custom Codes WordPress plugin (CWE-79: Improper Neutralization of Input During Web Page Generation) fails to adequately sanitize or escape user-supplied input before storing it in the database and rendering it on web pages. WordPress plugins that allow custom code injection require strict validation and escaping of input parameters. The vulnerability affects the core functionality of the plugin, which is designed to permit site administrators to inject custom HTML, CSS, or JavaScript snippets. Without proper input validation and output escaping, an attacker can craft malicious payloads within those custom code sections that will be stored and executed whenever the page containing that code is viewed. This is a stored XSS rather than reflected XSS because the malicious payload persists in the database rather than being passed through URL parameters.
Affected Products
The vulnerability affects the SaifuMak Add Custom Codes WordPress plugin (CPE identifier not formally assigned in public records) in versions 4.80 and earlier. This is a WordPress plugin available through the official WordPress plugin repository and third-party distributors. The vulnerability was reported and documented by Patchstack, a WordPress vulnerability researcher, and affects all installations running version 4.80 or older of the Add Custom Codes plugin.
Remediation
Users of the Add Custom Codes plugin should update to a patched version greater than 4.80 immediately. Administrators should access the WordPress dashboard, navigate to Plugins > Installed Plugins, locate Add Custom Codes, and click the 'Update' button if available. If no update appears in the dashboard, the plugin may no longer be actively maintained; in that case, consider removing the plugin and replacing it with a maintained alternative, or implementing custom code through a child theme's functions.php file with proper escaping functions. As an interim workaround pending updates, restrict plugin access to the least number of user accounts necessary (WordPress user roles with 'manage_options' capability). The Patchstack database entry linked in references (https://patchstack.com/database/Wordpress/Plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-scripting-xss-vulnerability?_s_id=cve) should be consulted for patched version availability and additional mitigation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today