CVE-2025-24699: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection WordPress plugin, affecting versions up to and including 3.6. The vulnerability was discovered by researcher 0xd4rk5id3 and publicly disclosed on January 31, 2025. The issue was assigned CVE-2025-24699 and affects the Wow-Company WP Coder plugin, which allows for potential Cross-Site Scripting (XSS) attacks (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on certain functions within the plugin. It has been assigned a CVSS v3.1 score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (Patchstack, NVD).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link. This could lead to stored cross-site scripting attacks, potentially compromising the security of the affected WordPress installation (WPScan).

The vulnerability has been fixed in version 3.6.1 of the WP Coder plugin. Site administrators are advised to update to version 3.6.1 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied. Additionally, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).