CVE-2024-3903
📋 TL;DR
This vulnerability in the Add Custom CSS and JS WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that inject malicious JavaScript code (Stored XSS) into WordPress sites. Attackers can exploit this to hijack admin sessions, deface websites, or steal sensitive data when logged-in users with author privileges or higher visit malicious pages. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Add Custom CSS and JS WordPress plugin
📦 What is this software?
Add Custom Css And Js by Technologicx
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain administrative access to the WordPress site, install backdoors, steal sensitive data, deface the website, or use the site for further attacks against visitors.
Likely Case
Attackers inject malicious JavaScript that steals session cookies or redirects users to phishing sites when logged-in users with appropriate privileges visit compromised pages.
If Mitigated
With proper security controls like web application firewalls and user awareness training, exploitation attempts would be blocked or detected before causing significant damage.
🎯 Exploit Status
Exploitation requires tricking a logged-in user with author privileges or higher to click a malicious link. No authentication bypass is needed beyond the initial user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21 or later
Vendor Advisory: https://wpscan.com/vulnerability/0a0e7bd4-948d-47c9-9219-380bda9f3034/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Add Custom CSS and JS' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.21+ from WordPress repository and replace the plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Add Custom CSS and JS plugin until patched
wp plugin deactivate add-custom-css-and-js
Implement CSRF protection
allAdd CSRF tokens to WordPress forms using security plugins
🧯 If You Can't Patch
- Remove the Add Custom CSS and JS plugin completely and use alternative methods for custom CSS/JS
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Add Custom CSS and JS' version 1.20 or earlierCheck Version:
wp plugin get add-custom-css-and-js --field=versionVerify Fix Applied:
Verify plugin version is 1.21 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with custom_css or custom_js parameters
- Multiple failed CSRF token validation attempts in WordPress logs
Network Indicators:
- Unexpected JavaScript injection in plugin settings pages
- Suspicious outbound connections from WordPress admin pages
SIEM Query:
source="wordpress.log" AND ("custom_css" OR "custom_js") AND status=200