WordPress Plugin Vulnerabilities

Custom 404 Pro < 3.10.1 - Unauthenticated Stored Cross-Site Scripting via logging

Description

The Custom 404 Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several logged parameters in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
custom-404-pro
Fixed in 3.10.1

References

CVE
CVE-2023-51540
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1106e7b2-eac7-459d-8eb3-fe84c76f3b67

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Kyle Sanchez
Verified
No
WPVDB ID
042d2d4b-d6f3-47be-b3b7-a882253840ba

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-05-14
Title
WP Content Security Plugin <= 2.3 - Unauthenticated Stored Cross-Site Scripting via CSP-Report Fields
Published
2014-08-01
Title
Spider Calendar 1.1.0 - "many_sp_calendar" Cross-Site Scripting
Published
2021-08-16
Title
WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code
Published
2024-09-12
Title
WP Meta SEO < 4.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-24
Title
Quotes llama < 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting