CVE-2025-24699 Overview
CVE-2025-24699 is a Cross-Site Request Forgery (CSRF) vulnerability in the Wow-Company WP Coder plugin for WordPress. The flaw chains CSRF [CWE-352] with Cross-Site Scripting (XSS), letting an attacker inject script payloads into the plugin by tricking an authenticated administrator into clicking a crafted link. All versions of WP Coder up to and including 3.6 are affected. Successful exploitation enables stored or reflected JavaScript execution in an administrator session, which can lead to account takeover, content modification, or pivoting to further site compromise. The vulnerability requires user interaction and operates over the network without prior authentication on the attacker side.
Critical Impact
An attacker can forge requests that inject malicious JavaScript through the WP Coder plugin, executing code in an administrator's browser context and compromising the WordPress site.
Affected Products
- Wow-Company WP Coder WordPress plugin
- WP Coder versions from initial release through 3.6
- WordPress sites with WP Coder installed and active
Discovery Timeline
- 2025-02-14 - CVE-2025-24699 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24699
Vulnerability Analysis
The vulnerability combines two weaknesses in the WP Coder plugin. First, sensitive administrative actions lack proper anti-CSRF tokens, so the plugin accepts state-changing requests without verifying request origin. Second, user-supplied input handled through those actions is not sanitized before being rendered, enabling Cross-Site Scripting.
An attacker hosts a malicious page or sends a crafted link to a logged-in WordPress administrator. When the administrator visits the page, their browser silently submits the forged request to the vulnerable plugin endpoint. The request stores attacker-controlled JavaScript in the plugin's code snippet or output, which later executes in the context of the WordPress site.
Because WP Coder is designed to render arbitrary HTML, CSS, and JavaScript on pages, the impact extends to any visitor who loads a page where the injected snippet is rendered. The scope changes from the plugin to the broader WordPress site, which is consistent with the scope-changed nature of the issue.
Root Cause
The root cause is missing CSRF protection on plugin request handlers, combined with insufficient output encoding of stored snippet data. The plugin does not validate WordPress nonces on the affected endpoints, so requests originating from third-party sites are processed as if they were legitimate administrator actions.
Attack Vector
Exploitation requires an authenticated WordPress administrator to interact with attacker-controlled content, typically by clicking a link or visiting a page that auto-submits a form. The attack travels over the network and requires no privileges on the target site. The vulnerability has an EPSS score of 0.096% (26.3 percentile), indicating low observed exploitation activity at this time.
The exploitation flow is described in prose because no verified public proof-of-concept code is available. Refer to the Patchstack WP Coder Plugin Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-24699
Indicators of Compromise
- Unexpected <script> tags, event handlers, or external JavaScript references inside WP Coder snippets, widgets, or shortcodes.
- WordPress administrator sessions producing POST requests to WP Coder admin endpoints with HTTP Referer headers from unrelated third-party domains.
- New or modified WP Coder entries created shortly after an administrator visited an external link or untrusted page.
Detection Strategies
- Audit the WP Coder plugin database tables and exported configurations for snippets containing inline JavaScript not authored by site staff.
- Review WordPress access logs for state-changing requests to plugin endpoints lacking a matching _wpnonce parameter or with cross-origin Referer values.
- Deploy a web application firewall rule to flag POST requests to /wp-admin/admin.php?page=wp-coder* that originate from external referrers.
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin configuration changes, administrator session activity, and snippet modifications.
- Alert on outbound requests from site visitors to unknown domains, which can indicate injected JavaScript exfiltrating data.
- Monitor administrator accounts for unusual login times, IP changes, or privilege modifications following plugin edits.
How to Mitigate CVE-2025-24699
Immediate Actions Required
- Update WP Coder to a version later than 3.6 once the vendor releases a patched build.
- Audit all existing WP Coder snippets and remove any JavaScript that cannot be attributed to a legitimate site change.
- Force password resets and review session tokens for all WordPress administrator accounts.
Patch Information
The vendor advisory tracked at Patchstack WP Coder Plugin Vulnerability lists WP Coder <= 3.6 as affected. Site operators should install the next release from Wow-Company that includes nonce validation and output sanitization, then verify the installed version reports higher than 3.6.
Workarounds
- Deactivate and remove the WP Coder plugin until a fixed version is installed if the plugin is not business-critical.
- Restrict access to /wp-admin/ by IP allowlist or VPN to reduce exposure of administrator sessions to CSRF lures.
- Deploy a Content Security Policy that blocks inline scripts on the WordPress site to limit the impact of injected payloads.
- Require administrators to use separate browsers or profiles for WordPress management and general browsing.
# Configuration example: temporarily disable WP Coder via WP-CLI
wp plugin deactivate wp-coder
wp plugin status wp-coder
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
