Vulnerabilities and security researches forcustom-css custom-css

Jun 07, 2024

CVE, Research URL: -
Home page URL: Security reports for Custom CSS, JS & PHP
Application: Custom CSS, JS & PHP
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: e03420c55099714ac90da016761d318e5e1cb6db
Home page URL: Security reports for Custom CSS, JS & PHP
Application: Custom CSS, JS & PHP
Date: -
Research Description: Custom CSS, JS & PHP [custom-css] <= 2.0.7 (unfixed) Various Affected Software (Various Versions) - Cross-Site Request Forgery Bypass Over 70 plugins and themes were vulnerable to Cross-Site Request Forgery due to improperly implemented nonce protection that could be bypassed.
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2021-4418
Home page URL: Security reports for Custom CSS, JS & PHP
Application: Custom CSS, JS & PHP
Date: -
Research Description: The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Nov 25, 2024

CVE, Research URL: CVE-2024-11330
Home page URL: Security reports for Custom CSS, JS & PHP
Application: Custom CSS, JS & PHP
Date: Nov 23, 2024
Research Description: Custom CSS, JS & PHP [custom-css] <= 2.3.0 (unfixed) CVE-2024-11330 [en] The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Apr 17, 2025

CVE, Research URL: CVE-2025-39601
Home page URL: Security reports for Custom CSS, JS & PHP
Application: Custom CSS, JS & PHP
Date: Apr 16, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP allows Remote Code Inclusion. This issue affects Custom CSS, JS & PHP: from n/a through 2.4.1.
Affected versions: Min -, max -.
Status: vulnerable