Description
Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Custom Content cj-custom-content allows Stored XSS.This issue affects CJ Custom Content: from n/a through <= 2.0.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows malicious actors to execute Stored Cross‑Site Scripting code in the WordPress CJ Custom Content plugin. By forging a legitimate request, an attacker can inject arbitrary JavaScript that is permanently stored in the plugin’s content database. This payload can then run in the browsers of any user who views the affected content, compromising confidentiality, integrity, and potentially allowing further lateral movement.

Affected Systems

The issue impacts the CJ Custom Content plugin developed by shibulijack, affecting every installed instance from unspecified earlier versions through version 2.0. WordPress sites running this plugin version are susceptible, with no version after 2.0 mentioned.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity potential for exploitation. The EPSS score of less than 1% suggests that the likelihood of an attack is low at present, and the flaw is not listed in the CISA KEV catalog. However, because the vulnerability is triggered via Cross‑Site Request Forgery, a user with sufficient privileges or a session that an attacker can hijack would be able to submit a crafted request. Once the XSS payload is stored, it will affect all users of the affected WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CJ Custom Content plugin to version 2.1 or later, ensuring the CSRF protection and XSS sanitization fixes are applied.
  • If an upgrade is not possible, disable or remove the plugin to eliminate the vulnerability.
  • Implement a web application firewall rule or application‑level CSRF token validation on all form submissions for the plugin to detect and block suspicious POST requests containing malicious script payloads.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3490 Cross-Site Request Forgery (CSRF) vulnerability in Shibu Lijack a.k.a CyberJack CJ Custom Content allows Stored XSS.This issue affects CJ Custom Content: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Shibu Lijack a.k.a CyberJack CJ Custom Content allows Stored XSS.This issue affects CJ Custom Content: from n/a through 2.0. Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Custom Content cj-custom-content allows Stored XSS.This issue affects CJ Custom Content: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Shibu Lijack a.k.a CyberJack CJ Custom Content allows Stored XSS.This issue affects CJ Custom Content: from n/a through 2.0.
Title WordPress CJ Custom Content plugin <= 2.0 - CSRF to Cross-Site Scripting vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:22.839Z

Reserved: 2025-01-16T11:31:20.771Z

Link: CVE-2025-23869

cve-icon Vulnrichment

Updated: 2025-01-17T17:17:36.751Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:26.893

Modified: 2026-04-23T15:24:40.270

Link: CVE-2025-23869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses