Threat Entry Updated 2024-11-23

CVE-2024-11330 - Php Plugin

The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Php

CVE-2024-11330

MEDIUM CVSS 6.1 2024-11-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-08

CVE-2021-4418 - Php Plugin

The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Php

CVE-2021-4418

MEDIUM CVSS 4.3 2023-10-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-1732 - Php Plugin

The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Php

CVE-2022-1732

MEDIUM CVSS 6.5 2022-07-11

Risk Score

Open Full Technical Breakdown