Attack Vectors

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript (slug: add-custom-codes) versions 4.80 and below contain a medium-severity Cross-Site Request Forgery (CSRF) issue tracked as CVE-2025-62739 (CVSS 4.3).

This attack does not require the attacker to log in. Instead, it relies on social engineering: an attacker convinces a site administrator (or another privileged WordPress user) to click a link or visit a webpage while logged into the WordPress dashboard. That visit can silently submit a forged request to your site.

Security Weakness

The underlying weakness is missing or incorrect nonce validation on a plugin function. In WordPress, nonces help confirm that an action request is intentional and originates from an authorized admin session.

When nonce validation is absent or implemented incorrectly, a browser that is already authenticated to WordPress can be tricked into sending “valid-looking” requests—even when the admin never meant to perform that action.

Technical or Business Impacts

Because this is a CSRF vulnerability, the primary risk is unauthorized changes performed in the background under an administrator’s authority. Even “low” or “limited” changes can create outsized business impact if they alter how the site behaves or how content is presented.

From a business-risk perspective, the impact can include loss of control over site administration actions, increased time spent on investigation and cleanup, and potential brand/reputation damage if the site’s behavior changes in ways customers notice. For regulated organizations, any security control gap affecting administrative actions can also raise compliance and audit concerns, particularly around change management and access control.

Remediation: Update the plugin to version 5.0 or a newer patched version. For reference, see the vendor/community advisory details from Wordfence: Wordfence vulnerability entry.

Similar Attacks

CSRF has been used in real-world campaigns to push unwanted configuration changes by exploiting a user’s already-authenticated browser session. A well-known example is “drive-by pharming,” where attackers used CSRF-style techniques against vulnerable home routers to change DNS settings and redirect victims to malicious destinations: Drive-by pharming (Wikipedia).