Attack Vectors

CVE-2025-62108 affects the WordPress plugin Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript (slug: add-custom-codes) in versions up to and including 4.80. This is a Medium-severity issue (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), meaning it can be reached over the network and does not require a victim to click anything.

The practical risk is that an attacker first needs a valid login with subscriber-level access or higher (for example, a compromised customer account, a reused password, or an unnecessary low-level account that was never removed). From there, they can trigger an unauthorized action due to a permission check that is missing inside the plugin.

Security Weakness

The root cause is a missing authorization (capability) check on a function in the plugin. In WordPress terms, this means the plugin does not consistently verify that the logged-in user has the right level of permission before allowing a sensitive operation.

This kind of weakness is especially relevant for organizations where accounts are broadly distributed (marketing, contractors, agencies, interns, partners) or where “subscriber” accounts exist for gated content, events, or customer portals—because those accounts can become a stepping-stone for unwanted changes.

Technical or Business Impacts

Because this vulnerability enables an authenticated user with low privileges to perform an unauthorized action, the immediate business concern is loss of control over site configuration and content-related behavior—even if the attacker cannot directly read sensitive data (the CVSS score indicates no confidentiality impact and low integrity impact).

For marketing and leadership teams, the most likely outcomes are operational: unexpected site changes that impact brand trust, campaign performance, landing page accuracy, tracking consistency, or compliance obligations if site behavior is modified in ways that weren’t approved. Even “small” unauthorized changes can create real costs through incident response time, campaign pauses, and reputational damage.

Recommended remediation: update the plugin to version 5.0 or a newer patched version. In parallel, review whether you truly need subscriber accounts, remove stale users, enforce strong passwords and MFA where possible, and ensure your team has monitoring in place to flag unusual administrative actions.

Reference: CVE record for CVE-2025-62108 and the original report source from Wordfence Threat Intelligence.

Similar Attacks

Missing or weak authorization checks (often grouped under “broken access control”) are a common cause of real-world incidents because they let attackers do things they should not be able to do after gaining a basic foothold. Examples of high-profile authorization/authentication-related issues include:

CVE-2023-22515 (Atlassian Confluence)
CVE-2023-35078 (Ivanti Endpoint Manager Mobile)
CVE-2019-11510 (Pulse Secure VPN)

The takeaway for business owners and compliance teams is that “low-privilege” accounts and third-party software permissions must be treated as part of your risk surface. Regular plugin updates and tighter account governance materially reduce the odds that a minor access gap becomes a costly incident.