SQL Injection Vulnerability in Custom 404 Pro Plugin for WordPress
CVE-2025-9947

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Custom 404 Pro
Vendor: CVE Published:; 11 October 2025

What is CVE-2025-9947?

The Custom 404 Pro plugin for WordPress contains a vulnerability that allows for time-based SQL injection through the 'path' parameter. This issue arises from inadequate escaping of user-supplied data and insufficiently prepared SQL queries. Authenticated attackers with Administrator-level access can exploit this flaw to inject additional SQL queries into existing ones, potentially gaining unauthorized access to sensitive database information. Website owners using affected versions should prioritize updating their plugins to secure their systems.

Affected Version(s)

Custom 404 Pro * <= 3.12.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/custom-404-pro...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2025
Vulnerability Reserved
Sep 3, 2025

Credit

jamaal

JSON