CVE-2025-30975: 
WordPress vulnerability analysis and mitigation

A code injection vulnerability (CVE-2025-30975) was discovered in the WordPress plugin 'Add Custom Codes' affecting versions up to 4.80. The vulnerability was reported by Ryan Novotny on May 2, 2025, and was publicly disclosed on August 14, 2025. The affected plugin, developed by SaifuMak, allows unauthorized code injection that could potentially compromise WordPress installations (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-94 (Improper Control of Generation of Code) and requires contributor-level privileges to exploit. The technical assessment indicates that the vulnerability allows for arbitrary code execution in the affected WordPress installations (NVD, Patchstack).

The vulnerability is considered moderately dangerous with high potential for exploitation. If successfully exploited, it could allow malicious actors to remotely execute arbitrary code on affected websites, potentially leading to complete site compromise. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as 'High' in the CVSS scoring (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider removing the plugin until a security update is released (Patchstack).