Plattform
wordpress
Komponente
custom-404-pro
Behoben in
3.12.1
CVE-2025-62880 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Custom 404 Pro WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions of the plugin ranging from 0.0.0 up to and including 3.12.0. A patch has been released in version 3.12.1.
A successful CSRF attack could allow an attacker to modify plugin settings, change custom 404 page configurations, or potentially perform other administrative actions as the logged-in user. The impact is amplified if the user has administrator privileges, granting the attacker broader control over the WordPress site. This could lead to defacement, data breaches, or even complete site takeover. While the CVSS score is medium, the ease of exploitation and potential for significant impact warrant immediate attention.
This vulnerability was publicly disclosed on 2025-12-22. No public proof-of-concept (POC) code has been identified at the time of writing, but the ease of CSRF exploitation suggests a potential for rapid development of such tools. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the widespread use of WordPress and the relatively simple nature of CSRF attacks.
WordPress websites utilizing the Custom 404 Pro plugin, particularly those running older versions (0.0.0–3.12.0), are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches. Sites with administrator accounts that are frequently used or have weak passwords are particularly vulnerable.
• wordpress / composer / npm:
grep -r 'Custom 404 Pro' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Custom 404 Pro'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=custom_404_pro_save_settings&setting_name=some_setting&setting_value=some_value | grep HTTP/1.1disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Custom 404 Pro plugin to version 3.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict Content Security Policy (CSP) headers to restrict the origin of scripts that can be executed on the site. Additionally, implement CSRF tokens for all sensitive actions within the plugin. After upgrading, verify the fix by attempting to trigger a CSRF request using a tool like Burp Suite and confirming that the action is blocked or requires authentication.
Aktualisieren Sie auf Version 3.12.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62880 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Custom 404 Pro WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Custom 404 Pro versions 0.0.0 through 3.12.0. Upgrade to 3.12.1 or later to mitigate the risk.
Upgrade the Custom 404 Pro plugin to version 3.12.1 or later. Consider implementing CSP headers and CSRF tokens as additional security measures.
While no active exploitation has been confirmed, the ease of CSRF exploitation suggests a potential for rapid exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.