CVE-2025-39601
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the WPFactory Custom CSS, JS & PHP WordPress plugin allows attackers to trick authenticated administrators into executing malicious requests, leading to remote code inclusion and potential remote code execution. This affects WordPress sites using vulnerable versions of the plugin. The high CVSS score reflects the combination of CSRF leading to RCE.
💻 Affected Systems
- WPFactory Custom CSS, JS & PHP WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for malicious activities.
Likely Case
Attackers inject malicious code into WordPress sites, potentially creating backdoors, redirecting traffic, or stealing sensitive information from visitors.
If Mitigated
Limited impact if proper CSRF protections are implemented at the application or web server level, though the vulnerability remains present in the plugin.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users, but the technical execution is straightforward once the user is tricked.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2 or later
Vendor Advisory: https://patchstack.com/database/wordpress/plugin/custom-css/vulnerability/wordpress-custom-css-js-php-plugin-2-4-1-csrf-to-rce-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Custom CSS, JS & PHP' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.4.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate custom-css-js-php
Implement CSRF Protection Headers
linuxAdd CSRF protection at web server or application firewall level
# Add to .htaccess for Apache: Header set X-Frame-Options "DENY"
# Add to nginx config: add_header X-Frame-Options "DENY";
🧯 If You Can't Patch
- Restrict admin access to trusted networks only using firewall rules
- Implement additional authentication factors for admin users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Custom CSS, JS & PHP. If version is 2.4.1 or earlier, you are vulnerable.Check Version:
wp plugin get custom-css-js-php --field=versionVerify Fix Applied:
Verify plugin version is 2.4.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action parameters related to the plugin
- Unexpected file writes in WordPress uploads or plugin directories
Network Indicators:
- HTTP requests with suspicious parameters targeting the vulnerable plugin endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query="action=cssjsphp_*" AND status=200)