cbcvebase.
CVE-2024-39646
published 2024-08-01

CVE-2024-39646: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Custom 404 Pro custom-404-pro.This issue affects…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.59%
43.7th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Custom 404 Pro custom-404-pro.This issue affects Custom 404 Pro: from n/a through <= 3.11.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
kunalcustom_404_pro<= 3.11.1
kunalnagarcustom_404_pro< 3.11.23.11.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=c4p-main&c4pmessage=hello&c4pmessageType=%22%20onmouseover%3Dalert(1)%20
path/wp-admin/admin.php?page=c4p-main
otherc4pmessageType=" onmouseover=alert(1)
  • Reflected XSS payload is injected via the `c4pmessageType` GET parameter on the admin page `c4p-main`. Look for unencoded quote and event handler strings in HTTP responses to this endpoint.
  • Detection can confirm exploitation by matching the reflected payload `" onmouseover=alert(1)` in the HTML response body with content-type `text/html`.
  • The vulnerability requires an authenticated session (wordpress_logged_in_ cookie present). Monitor for suspicious GET requests to `/wp-admin/admin.php?page=c4p-main` with unusual `c4pmessageType` values containing HTML event handlers.
  • ·Exploitation requires an authenticated WordPress session; the attack vector is network-based but requires user interaction (UI:R) and an authenticated context. The CVSS score of 7.1 reflects Confidentiality, Integrity, and Availability impact.
  • ·Affected versions are Custom 404 Pro from n/a through 3.11.1 inclusive. Version 3.11.2 contains the fix.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.