What is CVE-2025-39601?

A critical Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP allows for remote code inclusion. Organizations should prioritize patching immediately to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-39601?

CVE-2025-39601 has a severity rating of CRITICAL with a CVSS base score of 9.6.

CVE-2025-39601 | Critical Vulnerability in WPFactory Custom CSS, JS & PHP

This vulnerability allows Remote Code Inclusion (RCE) through a Cross-Site Request Forgery (CSRF) in the WPFactory Custom CSS, JS & PHP plugin. It affects versions from n/a through 2.4.1. The CVSS score is 9.6, categorizing it as critical. This high severity indicates a significant risk to organizations, especially considering the potential for attackers to execute arbitrary code remotely.

Risk to organizations includes unauthorized access to sensitive data and possible complete control over the affected system. The presence of a known exploit heightens the urgency for defenders, as attackers may leverage this vulnerability to gain access to systems and data.

Organizations should prioritize patching immediately. With the critical nature of this vulnerability and the potential for exploitation, rapid response is essential in mitigating risks.

The vulnerability was published on April 16, 2025, and is currently awaiting further analysis. Its exploitability is rated as critical, with evidence from GitHub indicating that a proof of concept (PoC) exists.

Given the nature of this vulnerability, continuous monitoring and immediate action are advised for all organizations using the affected software.

Vulnerability Details

The Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP allows remote code inclusion. This issue affects versions from n/a through 2.4.1. The CVSS score of 9.6 indicates a critical severity level. The attack vector is network-based, requiring low complexity, no privileges, and user interaction. The confidentiality, integrity, and availability impacts are all rated as high.

The CWE classification for this vulnerability is CWE-352, which pertains to Cross-Site Request Forgery (CSRF).

Technical Analysis

The root cause of this vulnerability lies in the insufficient validation of requests, allowing attackers to forge requests on behalf of authenticated users. The attack vector is through the network, meaning that an attacker can exploit the vulnerability remotely.

The attack complexity is low, requiring no special conditions. Privileges required are none, and user interaction is required to execute the attack. Once exploited, the attacker can compromise confidentiality, integrity, and availability, leading to severe consequences for affected organizations.

Risk & Impact Analysis

Organizations face significant risks with this vulnerability, as successful exploitation can lead to unauthorized access to sensitive data and control over systems. The potential blast radius is extensive, particularly for organizations using the affected plugin widely.

The urgency for organizations to address this vulnerability is critical due to its high CVSS score and the fact that exploits are known to be available. Organizations should prioritize patching this vulnerability as part of their immediate risk management strategy.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch, specifically affecting Custom CSS, JS & PHP: from n/a through 2.4.1.

Mitigation & Remediation

Organizations should prioritize patching immediately. To mitigate risks, update the WPFactory Custom CSS, JS & PHP plugin to the latest version. If a patch is unavailable, consider implementing workarounds such as disabling the plugin until a patch is applied.

More information on best practices for securing WordPress plugins can be found through our web application penetration testing resources.

Detection Guidance

Monitor logs for unauthorized access attempts and unusual behaviors indicative of exploitation. Pay attention to user interactions with the affected plugin and look for any anomalies in system behavior.

AppSecure Threat Intelligence Insight

This vulnerability underscores the importance of verifying the security of third-party plugins. Security teams should implement robust security testing frameworks to identify vulnerabilities in these components.

For organizations utilizing WordPress, adopting a proactive security posture is critical. Continuous security assessments, such as penetration testing, can help identify and mitigate risks before they are exploited.

Security teams should also review their incident response plans to ensure preparedness against potential exploitation of vulnerabilities like CVE-2025-39601.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-39601: Critical Vulnerability in WPFactory Custom CSS, JS & PHP