cbcvebase.
CVE-2023-2023
published 2023-05-30

CVE-2023-2023: The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.

PriorityP336medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.71%
74.5th percentile
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.

Affected

43 ranges· showing 25
VendorProductVersion rangeFixed in
f5big-ip
funadminfunadmin0 – 3.2.0
giflib_projectgiflib>= 0 < 5.1.9-1ubuntu0.15.1.9-1ubuntu0.1
giflib_projectgiflib>= 0 < 5.1.9-2ubuntu0.15.1.9-2ubuntu0.1
giflib_projectgiflib>= 0 < 5.1.4-0.3~16.04.1+esm15.1.4-0.3~16.04.1+esm1
giflib_projectgiflib>= 0 < 5.1.4-2ubuntu0.1+esm15.1.4-2ubuntu0.1+esm1
github.comgofiber_fiber_v2>= 0 < 2.50.02.50.0
github.comlibp2p_go-libp2p>= 0 < 0.27.80.27.8
github.comlibp2p_go-libp2p>= 0.28.0 < 0.28.20.28.2
github.comlibp2p_go-libp2p>= 0.29.0 < 0.29.10.29.1
knative.devserving>= 0 < 0.39.00.39.0
kunalnagarcustom_404_pro< 3.7.33.7.3
linuxlinux_kernel>= 0 < 5.15.0-105.1155.15.0-105.115
linuxlinux_kernel>= 5.12.0 < 5.15.1125.15.112
linuxlinux_kernel>= 5.16.0 < 6.1.296.1.29
linuxlinux_kernel>= 6.2.0 < 6.2.166.2.16
linuxlinux_kernel>= 6.3.0 < 6.3.36.3.3
msrccbl2_emacs_28.2-4_on_cbl_mariner_2.0
msrccbl2_hyperv-daemons_5.15.118.1-1_on_cbl_mariner_2.0
msrccbl2_hyperv-daemons_5.15.158.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.135.1-2_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrcmicrosoft_edge
msrcmicrosoft_office_online_server

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=c4p-main&s={{randstr}}%22%20style=animation-name:rotation%20onanimationstart=alert(document.domain)//
path/wp-admin/admin.php?page=c4p-main
  • Detect exploitation attempts by looking for the XSS payload pattern in the 's' query parameter on the c4p-main admin page: URL-encoded double-quote followed by style/onanimationstart attributes.
  • Match HTTP responses containing both 'onanimationstart=alert(document.domain)//' and 'Custom 404 Pro' in the body with a 200 status and text/html content-type to confirm successful XSS reflection.
  • The vulnerability is triggered via the 's' (search) parameter on the wp-admin Custom 404 Pro page (page=c4p-main); monitor GET requests to this endpoint for unsanitized input reflected in HTML attributes.
  • Exploitation requires authentication (WordPress admin login via /wp-login.php); correlate POST to /wp-login.php followed by GET to /wp-admin/admin.php?page=c4p-main with XSS payload in the same session.
  • ·This is an authenticated (admin-level) reflected XSS; exploitation requires a valid WordPress session obtained via /wp-login.php before the attack request to the admin panel.
  • ·Affected versions are Custom 404 Pro < 3.7.3; the fix is present in version 3.7.3 and later. Detections should be scoped to sites running vulnerable plugin versions.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv8.8HIGH
vendor_msrc8.8CRITICAL
vendor_oracle7.5HIGH
vendor_redhat6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.