CVE-2023-6391 is a high-severity vulnerability affecting the Custom User CSS WordPress plugin, specifically versions up to 0.2. The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue (CWE-352). The plugin lacks proper CSRF protections when updating its settings, allowing an attacker to trick an authenticated administrator into unknowingly submitting a malicious request that changes plugin settings. Since the plugin allows customization of user CSS, unauthorized changes could lead to malicious CSS injection, potentially enabling further attacks such as UI redressing, phishing, or even indirect code execution depending on the CSS capabilities and context. The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector over the network, no privileges required, but user interaction (admin logged in and visiting a malicious page) necessary. The vulnerability does not require prior authentication but does require the victim to be an authenticated admin user who interacts with attacker-controlled content. No known exploits are currently reported in the wild, and no patches have been linked yet. The plugin's unknown vendor and low version number suggest it may be a niche or less widely adopted plugin, but the risk remains significant for affected sites.

For European organizations running WordPress sites with the Custom User CSS plugin, this vulnerability could lead to unauthorized administrative changes to site appearance and behavior, potentially undermining trust and brand reputation. Attackers could exploit this to inject malicious CSS that might facilitate phishing attacks, UI manipulation, or data leakage. The compromise of administrative settings could also serve as a foothold for further attacks, including privilege escalation or site defacement. Given the high CVSS score, the impact on confidentiality, integrity, and availability is substantial. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance risks if customer data or site integrity is compromised. The requirement for an admin user to be tricked into interaction means social engineering or targeted phishing campaigns could be used, increasing the risk to organizations with less security-aware staff.

Immediate mitigation steps include disabling or uninstalling the Custom User CSS plugin until a patch is available. Administrators should audit their WordPress installations to identify the presence of this plugin and verify the version. If the plugin is essential, restrict administrative access to trusted users only and implement network-level protections such as Web Application Firewalls (WAFs) that can detect and block CSRF attack patterns. Educate administrators about the risks of clicking on untrusted links or visiting suspicious websites while logged into admin accounts. Monitoring for unexpected changes in plugin settings or CSS files can help detect exploitation attempts. Once a patch is released, apply it promptly. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of malicious CSS injection. Regular backups and incident response plans should be in place to recover from potential compromises.