CVE-2024-39646
published 2024-08-01CVE-2024-39646: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Custom 404 Pro custom-404-pro.This issue affects…
PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.59%
43.7th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Custom 404 Pro custom-404-pro.This issue affects Custom 404 Pro: from n/a through <= 3.11.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kunal | custom_404_pro | <= 3.11.1 | — |
| kunalnagar | custom_404_pro | < 3.11.2 | 3.11.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin.php?page=c4p-main&c4pmessage=hello&c4pmessageType=%22%20onmouseover%3Dalert(1)%20↗
- →Reflected XSS payload is injected via the `c4pmessageType` GET parameter on the admin page `c4p-main`. Look for unencoded quote and event handler strings in HTTP responses to this endpoint. ↗
- →Detection can confirm exploitation by matching the reflected payload `" onmouseover=alert(1)` in the HTML response body with content-type `text/html`. ↗
- →The vulnerability requires an authenticated session (wordpress_logged_in_ cookie present). Monitor for suspicious GET requests to `/wp-admin/admin.php?page=c4p-main` with unusual `c4pmessageType` values containing HTML event handlers. ↗
- ·Exploitation requires an authenticated WordPress session; the attack vector is network-based but requires user interaction (UI:R) and an authenticated context. The CVSS score of 7.1 reflects Confidentiality, Integrity, and Availability impact. ↗
- ·Affected versions are Custom 404 Pro from n/a through 3.11.1 inclusive. Version 3.11.2 contains the fix. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppfv-j8g7-xg43: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflect
ghsa_unreviewed·2024-08-02
CVE-2024-39646 [HIGH] CWE-79 GHSA-ppfv-j8g7-xg43: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflect
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflected XSS.This issue affects Custom 404 Pro: from n/a through 3.11.1.
VulnCheck
kunalnagar custom_404_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2024·CVSS 6.1
CVE-2024-39646 [MEDIUM] kunalnagar custom_404_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
kunalnagar custom_404_pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Custom 404 Pro custom-404-pro.This issue affects Custom 404 Pro: from n/a through <= 3.11.1.
Affected: kunalnagar custom_404_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/custom-404-pro/vulnerability/wordpress-custom-404-pro-plugin-3-11-1-reflected-cross-site-scripting-xss-vulnerability
No detection rules found.
Nuclei
WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS
nuclei·CVSS 6.1
CVE-2024-39646 [MEDIUM] WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS
WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflected XSS.This issue affects Custom 404 Pro: from n/a through 3.11.1.
Template:
id: CVE-2024-39646
info:
name: WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS
author: Sourabh-Sahu
severity: high
description: |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflected XSS.This issue affects Custom 404 Pro: from n/a through 3.11.1.
impact: |
Attackers can execute arbitrary scripts in victims' browsers, leading to session hijacking, defacement, or redirection.
remediation: |
Update to version 3.11.
No writeups or analysis indexed.
2024-08-01
Published
Exploited in the wild