CVE-2025-62880
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Kunal Custom 404 Pro custom-404-pro allows Cross Site Request Forgery.This issue affects Custom 404 Pro: from n/a through <= 3.12.0.
Analysis
Cross-site request forgery (CSRF) in Kunal Custom 404 Pro WordPress plugin through version 3.12.0 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects all versions up to and including 3.12.0, with no CVSS score assigned at the time of analysis. No public exploit code has been identified, and the EPSS score of 0.02% indicates minimal likelihood of active exploitation despite the moderate technical severity of CSRF flaws.
Technical Context
CSRF vulnerabilities (CWE-352) exploit the implicit trust that web browsers place in authenticated sessions by crafting malicious requests that execute actions in the context of a logged-in user. In WordPress plugins like Custom 404 Pro, CSRF typically manifests when administrative functions lack nonce verification-cryptographic tokens that validate requests originating from legitimate plugin forms. The vulnerability allows any attacker to host a malicious webpage or inject code that, when visited by an authenticated admin, silently triggers plugin configuration changes, settings modifications, or other administrative actions. This is particularly risky in WordPress because administrators often remain logged in across multiple browser tabs and may inadvertently click links or visit untrusted sites.
Affected Products
Kunal Custom 404 Pro WordPress plugin is affected in all versions from the earliest release through and including version 3.12.0. The plugin is distributed via the official WordPress plugin repository and is identified by the slug 'custom-404-pro'. Affected administrators can identify their version by checking Settings > Custom 404 Pro within the WordPress dashboard or inspecting the plugin's readme.txt file. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-404-pro/vulnerability/wordpress-custom-404-pro-plugin-3-12-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve provides version details and affected installation confirmation.
Remediation
WordPress site administrators running Custom 404 Pro should immediately update the plugin to the latest available version beyond 3.12.0 via the WordPress dashboard (Plugins > Installed Plugins > Custom 404 Pro > Update Now) or by downloading the latest release from the official WordPress plugin repository. The vendor's fix, released after version 3.12.0, adds nonce verification to all administrative forms and AJAX endpoints, preventing unauthorized requests from executing plugin actions. Site administrators should verify the update completes successfully and test plugin functionality in a staging environment if possible. Until patching, administrators should limit access to the WordPress admin dashboard, use security plugins that enforce additional CSRF protections, and educate staff to avoid clicking suspicious links while logged in to WordPress.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today