CVE-2025-39601: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in WPFactory Custom CSS, JS & PHP plugin affecting versions through 2.4.1. The vulnerability was identified on April 16, 2025, and assigned identifier CVE-2025-39601. This security issue allows Remote Code Inclusion, potentially affecting WordPress installations using the vulnerable plugin versions (Patchstack, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The issue is classified as CWE-352 (Cross-Site Request Forgery) and requires user interaction for exploitation. The vulnerability allows an attacker to perform Remote Code Inclusion through CSRF attacks (Patchstack).

The vulnerability's critical CVSS score of 9.6 indicates severe potential impact. If exploited, it could allow attackers to execute remote code on the affected system through CSRF attacks, potentially leading to complete system compromise. The attack can be initiated remotely and requires no authentication, though it does need user interaction (Patchstack).

The vulnerability has been fixed in version 2.4.2 of the WPFactory Custom CSS, JS & PHP plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).

The vulnerability was initially reported by security researcher Nguyen Xuan Chien on March 19, 2025, and was subsequently published by Patchstack on April 16, 2025 (Patchstack).