CVE-2021-4418: 
WordPress vulnerability analysis and mitigation

The Custom CSS, JS & PHP plugin for WordPress (versions up to 2.0.7) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-4418. The vulnerability exists due to missing or incorrect nonce validation in the save() function, which allows unauthenticated attackers to save code snippets via forged requests if they can trick a site administrator into performing certain actions like clicking a link (NVD).

The vulnerability stems from improper implementation of WordPress security nonces in the save() function located in modules/code/model.code.php. The code only verifies the nonce if it is present in the request, but fails to properly validate when the nonce is missing, creating a security bypass condition. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

If successfully exploited, this vulnerability allows attackers to save malicious code snippets to the WordPress site through CSRF attacks. This requires tricking an authenticated administrator into performing specific actions, but could lead to unauthorized code execution if successful (NVD).

Users should update the Custom CSS, JS & PHP plugin to a version newer than 2.0.7 which contains the security fix. The vulnerability was patched by implementing proper nonce validation in the save() function (WordPress Plugin).