CVE-2024-9204 in Smart Custom 404 Error Page Plugin
Summary
by MITRE • 10/04/2024
The Smart Custom 404 Error Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 11.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/08/2025
The Smart Custom 404 Error Page plugin for WordPress represents a critical security vulnerability through its susceptibility to reflected cross-site scripting attacks, specifically targeting the $_SERVER['REQUEST_URI'] parameter within versions up to and including 11.4.7. This vulnerability stems from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly neutralize malicious script content before rendering it in web responses. The flaw exists within the plugin's handling of HTTP request data, where user-supplied URI information is directly incorporated into error page outputs without proper validation or encoding measures.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious URI containing script code that gets reflected back to users who visit the compromised WordPress site. Since the plugin does not adequately sanitize the REQUEST_URI parameter, any malicious input passed through this vector can be executed in the context of a victim's browser session. This reflected XSS vulnerability operates under the common CWE-79 classification for cross-site scripting flaws, where insufficient validation of user-supplied data leads to arbitrary script execution. The attack requires minimal privileges as it targets unauthenticated users and relies on social engineering techniques to convince victims to click on malicious links.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to potentially steal session cookies, perform actions on behalf of authenticated users, redirect victims to malicious sites, or harvest sensitive information from user interactions. The reflected nature of the attack means that the malicious payload must be embedded in a URL that users are tricked into visiting, making it particularly dangerous in phishing campaigns or when the vulnerable site is referenced in external communications. This vulnerability affects the core WordPress functionality by compromising the integrity of error page generation, which represents a fundamental security control mechanism for web applications.
Mitigation strategies for this vulnerability should focus on immediate patching of the Smart Custom 404 Error Page plugin to versions that properly sanitize input parameters and implement robust output escaping for all user-supplied data. Organizations should also implement Content Security Policy headers to limit script execution capabilities and monitor for suspicious URI patterns in their web server logs. The ATT&CK framework categorizes this vulnerability under T1203 - Exploitation for Client Execution, as it leverages client-side vulnerabilities to execute malicious code in user browsers. Additionally, implementing proper input validation and output encoding practices aligns with security standards such as OWASP Top Ten A03:2021 - Injection, which emphasizes the importance of properly handling user input to prevent various injection attacks including XSS vulnerabilities.