CVE-2025-62880

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Custom 404 Pro WordPress plugin, versions 3.12.0 and earlier. The plugin fails to properly validate or enforce anti-CSRF tokens on state-changing requests, allowing an attacker to craft malicious requests that, when triggered by an authenticated administrator, perform unintended actions on the victim's behalf of that user [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while authenticated to the WordPress site. No direct authentication is needed for the attacker, but the victim must have an active session with sufficient privileges to perform the targeted action [1].

Impact

Successful exploitation could allow an attacker to force the victim to execute unwanted actions under their current authentication level, such as modifying plugin settings, changing site options, or performing other administrative tasks without the victim's consent [1].

Mitigation

The vendor has released version 3.12.1 which addresses the vulnerability. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. While the vulnerability has a low severity rating and is considered unlikely to be exploited in mass campaigns, immediate updating is recommended as a precaution [1].