A Cross‑Site Request Forgery vulnerability exists in SaifuMak Add Custom Codes that permits an attacker to force an authenticated user to perform arbitrary actions within the plugin. Because the plugin’s actions lack proper CSRF protections, a malicious site can cause a victim’s browser to submit requests that modify content or change configuration without the user’s consent. This leads to potential loss of confidentiality, integrity, and availability of site data and can be leveraged for further exploitation.

The vulnerability affects the SaifuMak Add Custom Codes WordPress plugin at all releases from the earliest available version through version 4.80. Any website running this plugin up to, and including, 4.80 is susceptible; versions newer than 4.80 are not mentioned as affected.

The CVSS score of 6.5 indicates a medium severity flaw, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation requires a user to be logged into the WordPress site and a crafted request to trigger a plugin action. The likely attack vector is a malicious website inducing a victim’s browser to make a POST request to the vulnerable endpoint, potentially escalating the attacker’s reach to administrative functions if the victim has such privileges.