CVE-2024-3903 in Add Custom CSS and JS Plugininfo

Summary

by MITRE • 05/14/2024

The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/14/2025

The vulnerability identified as CVE-2024-3903 affects the Add Custom CSS and JS WordPress plugin version 1.20 and earlier, presenting a critical security risk through the exploitation of cross-site request forgery and stored cross-site scripting flaws. This vulnerability specifically targets WordPress installations where users have author-level privileges or higher, creating a significant attack surface that could enable persistent malicious code execution within the target environment.

The technical flaw stems from the plugin's inadequate implementation of cross-site request forgery protection mechanisms in certain administrative functions. Without proper CSRF tokens or validation checks, attackers can craft malicious requests that appear legitimate to the WordPress admin interface. Additionally, the plugin fails to implement proper input sanitization and output escaping mechanisms, creating conditions where user-supplied content can be stored and subsequently executed as JavaScript code within the browser context of authenticated users.

This vulnerability operates through a stored XSS attack vector where malicious payloads are injected into the plugin's administrative interface and persistently stored within the WordPress database. When authenticated users with author privileges or higher access the affected administrative pages, the malicious JavaScript code executes in their browser context, potentially leading to session hijacking, credential theft, or further compromise of the WordPress installation. The attack requires minimal privileges since it targets users who can already add custom CSS and JS content, making it particularly dangerous in environments where content authors have elevated permissions.

The operational impact of this vulnerability extends beyond simple XSS execution, as it enables attackers to establish persistent footholds within WordPress environments. Attackers can leverage this vulnerability to inject malicious scripts that can harvest user credentials, redirect traffic to malicious sites, or even deploy additional malware. The stored nature of the XSS payload means that the attack remains effective even after the initial compromise, potentially affecting all authenticated users who interact with the compromised administrative interfaces. This vulnerability particularly impacts WordPress installations where multiple users with author-level privileges exist, as any of these users could become compromised through this attack vector.

The vulnerability aligns with CWE-352, which defines cross-site request forgery as a weakness where a web application does not adequately verify that requests originate from legitimate sources. Additionally, the lack of input sanitization and output escaping corresponds to CWE-79, which addresses cross-site scripting vulnerabilities. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 for initial access through malicious content and T1059.001 for command and control through script execution. Organizations should immediately implement mitigations including plugin updates to versions that address the CSRF and sanitization issues, implementing additional security measures such as web application firewalls, and conducting thorough security audits of all installed plugins. Regular monitoring of administrative interfaces and user activity logs should also be implemented to detect potential exploitation attempts.

Reservation

04/17/2024

Disclosure

05/14/2024

Moderation

accepted

CPE

ready

EPSS

0.00212

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!