Attack Vectors

Custom 404 Pro (slug: custom-404-pro) is affected by CVE-2025-62880, a Medium-severity Cross-Site Request Forgery (CSRF) issue (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

This type of vulnerability is typically exploited through social engineering: an unauthenticated attacker crafts a forged request and then tricks a site administrator (or another privileged user) into clicking a link or visiting a page while logged into WordPress. Because the victim is already authenticated, the attacker’s request can be processed as if it were legitimate.

Official record: https://www.cve.org/CVERecord?id=CVE-2025-62880

Security Weakness

The underlying weakness is missing or incorrect nonce validation on a plugin function in Custom 404 Pro versions up to and including 3.12.0. Nonces are a standard WordPress safeguard designed to ensure that sensitive actions genuinely originate from an authorized admin session and intended user interaction.

When nonce validation is absent or implemented incorrectly, WordPress can accept a request that looks like it came from an admin, even if it was initiated by a third party. This is why CSRF vulnerabilities are often described as “admin-in-the-middle” risks: they rely on the admin being logged in and being induced to take a simple action (like clicking a link).

Source: Wordfence vulnerability intelligence entry

Technical or Business Impacts

While this CVE is rated Medium and does not indicate direct data theft (CVSS shows no confidentiality impact), it can still create meaningful business risk because it enables unauthorized actions performed under an administrator’s session. Even “low integrity impact” changes can result in misconfiguration, unexpected site behavior, or workflow disruption that affects revenue-driving pages and campaigns.

Potential business impacts include: brand and customer trust issues if site behavior changes unexpectedly; operational time spent investigating “mystery changes” to settings; and audit/compliance concerns if privileged actions cannot be confidently attributed to a legitimate, intentional administrator decision.

Remediation: Update Custom 404 Pro to version 3.12.1 or newer (patched). After updating, consider reviewing recent administrative activity and reinforcing internal practices that reduce click-through risk for logged-in admins (for example, avoiding opening unknown links while authenticated to wp-admin).

Similar Attacks (CSRF examples and background): CSRF is a common technique used across many web platforms. For non-technical stakeholders who want quick context on how these attacks work and why user interaction matters, see OWASP: CSRF and PortSwigger Web Security Academy: CSRF.