WP-Safety

Custom 404 Pro Security & Risk Analysis

wordpress.org/plugins/custom-404-pro

Override the default 404 page with any page from the Admin Panel or a Custom URL.

7K active installs v3.12.8 PHP + WP 3.0.1+ Updated Apr 10, 2026
404404-error-pagebroken-linkcustom-404-page
50
C · Use Caution
CVEs total12
Unpatched1
Last CVEOct 10, 2025
Plugin page Download
Safety Verdict

Is Custom 404 Pro Safe to Use in 2026?

Use With Caution

Score 50/100

Custom 404 Pro has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

12 known CVEs 1 unpatched Last CVE: Oct 10, 2025Updated 1mo ago
Risk Assessment

The "custom-404-pro" plugin v3.12.8 exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices in several areas, notable concerns arise from its vulnerability history and specific taint analysis findings. The plugin boasts a lack of direct entry points like AJAX handlers, REST API routes, shortcodes, and cron events without authentication, and generally uses prepared statements for SQL queries and proper output escaping. This suggests a good foundation for preventing common web attacks.

However, the presence of 3 unsanitized flows identified during taint analysis, all rated as high severity, is a significant concern. These flows represent potential vulnerabilities that could be exploited, even if the attack surface appears limited on the surface. Furthermore, the plugin's history of 12 known CVEs, including 2 critical and 2 high-severity ones, with one still unpatched, points to a recurring pattern of security weaknesses. The common vulnerability types (CSRF, XSS, SQL Injection) further emphasize the types of risks this plugin has historically presented.

In conclusion, while "custom-404-pro" has implemented some robust security measures, the identified high-severity taint flows and its substantial history of critical and high-severity vulnerabilities, particularly the unpatched one, indicate a significant ongoing risk. Users should be cautious and prioritize addressing the unpatched vulnerability and investigating the high-severity taint flows.

Key Concerns

  • Currently unpatched CVE
  • High severity taint flows (3)
  • Critical CVEs in history (2)
  • High severity CVEs in history (2)
Vulnerabilities
12 published

Custom 404 Pro Security Vulnerabilities

CVEs by Year

2 CVEs in 2019
2019
7 CVEs in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
2
Medium
8

12 total CVEs

CVE-2025-9947medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Custom 404 Pro <= 3.12.0 - Authenticated (Administrator+) SQL Injection via `path` Parameter

Oct 10, 2025Unpatched
CVE-2025-62880medium · 4.3Cross-Site Request Forgery (CSRF)

Custom 404 Pro <= 3.12.0 - Cross-Site Request Forgery

May 13, 2025 Patched in 3.12.1 (338d)
CVE-2024-39646medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.11.1 - Reflected Cross-Site Scripting

Aug 1, 2024 Patched in 3.11.2 (7d)
CVE-2023-51540high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.10.0 - Unauthenticated Stored Cross-Site Scripting via logging

Dec 27, 2023 Patched in 3.10.1 (27d)
CVE-2023-32740medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.8.1 - Reflected Cross-Site Scripting via 'page'

May 15, 2023 Patched in 3.8.2 (253d)
CVE-2023-2023medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.7.2 - Reflected Cross-Site Scripting via 's'

May 2, 2023 Patched in 3.7.3 (266d)
WF-d22fb2e8-bb61-49bc-9fab-8f7c58339a69-custom-404-procritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Custom 404 Pro <= 3.7.2 - Unauthenticated SQL Injection

Apr 25, 2023 Patched in 3.7.3 (273d)
CVE-2023-2032critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Custom 404 Pro <= 3.8.0 - Unauthenticated SQL Injection via 's'

Apr 25, 2023 Patched in 3.8.1 (273d)
CVE-2023-0385medium · 4.3Cross-Site Request Forgery (CSRF)

Custom 404 Pro <= 3.7.1 - Cross-Site Request Forgery

Jan 18, 2023 Patched in 3.7.2 (370d)
CVE-2022-47605high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Custom 404 Pro <= 3.7.0 - Authenticated (Administrator+) SQL Injection

Jan 13, 2023 Patched in 3.7.1 (375d)
CVE-2019-14789medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.2.8 - Reflected Cross-Site Scripting

Jun 25, 2019 Patched in 3.2.9 (1879d)
CVE-2019-15838medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom 404 Pro <= 3.2.7 - Reflected Cross-Site Scripting

Jun 24, 2019 Patched in 3.2.8 (1674d)
Version History

Custom 404 Pro Release Timeline

v3.12.8Current1 CVE
CVE-2025-9947
v3.12.71 CVE
CVE-2025-9947
v3.12.61 CVE
CVE-2025-9947
v3.12.51 CVE
CVE-2025-9947
v3.12.41 CVE
CVE-2025-9947
v3.12.31 CVE
CVE-2025-9947
v3.12.21 CVE
CVE-2025-9947
v3.12.11 CVE
CVE-2025-9947
v3.12.02 CVEs
CVE-2025-62880 CVE-2025-9947
v3.11.32 CVEs
CVE-2025-62880 CVE-2025-9947
v3.11.22 CVEs
CVE-2025-62880 CVE-2025-9947
v3.11.13 CVEs
CVE-2025-62880 CVE-2024-39646 CVE-2025-9947
v3.11.03 CVEs
CVE-2025-62880 CVE-2024-39646 CVE-2025-9947
v3.10.13 CVEs
CVE-2025-62880 CVE-2024-39646 CVE-2025-9947
v3.10.04 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +1 more
v3.9.04 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +1 more
v3.8.24 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +1 more
v3.8.15 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +2 more
v3.8.06 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +3 more
v3.7.46 CVEs
CVE-2023-51540 CVE-2025-62880 CVE-2024-39646 +3 more
Code Analysis
Analyzed Apr 16, 2026

Custom 404 Pro Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
30 prepared
Unescaped Output
3
56 escaped
Nonce Checks
7
Capability Checks
25
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

94% prepared32 total queries

Output Escaping

95% escaped59 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
custom_404_pro_notices (admin/class-adminclass.php:92)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Custom 404 Pro Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 9
actionplugins_loadedincludes/class-pluginclass.php:48
actionadmin_menuincludes/class-pluginclass.php:49
actionadmin_enqueue_scriptsincludes/class-pluginclass.php:50
actionadmin_enqueue_scriptsincludes/class-pluginclass.php:51
actionadmin_initincludes/class-pluginclass.php:52
actiontemplate_redirectincludes/class-pluginclass.php:53
actionadmin_noticesincludes/class-pluginclass.php:54
actionadmin_post_form-settings-global-redirectincludes/class-pluginclass.php:55
actionadmin_post_form-settings-generalincludes/class-pluginclass.php:56
Maintenance & Trust

Custom 404 Pro Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 10, 2026
PHP min version
Downloads291K

Community Trust

Rating84/100
Number of ratings22
Active installs7K
Alternatives

Custom 404 Pro Alternatives

404 to 301 – Redirect, Log and Notify 404 Errors

404 to 301 – Redirect, Log and Notify 404 Errors

404-to-301

A
95

Automatically redirect, log and notify all 404 page errors to any page using 301 redirect for SEO. No more 404 Errors in WebMaster tool.

100K 6 CVEs
404 Solution

404 Solution

404-solution

A
86

Automatically redirect 404 errors to the right page using a 7-engine matching pipeline and spell-checking algorithm. Zero configuration required.

10K 8 CVEs
SEO Repair Kit – Meta Manager, Schema Manager, SEO Content Monitoring, GSC Integration, Keyword & Rank Tracking

SEO Repair Kit – Meta Manager, Schema Manager, SEO Content Monitoring, GSC Integration, Keyword & Rank Tracking

seo-repair-kit

A
100

The ultimate WordPress plugin for SEO automation - from link fixing to AI-powered schema generation and chatbot support.

3K No CVEs
Broken Links Repair By Hexometer

Broken Links Repair By Hexometer

broken-link-repair

A
85

Broken Links Repair Plugin disables the bad links in your content immediately upon detection by Hexometer.com scanner.

200 No CVEs
Advanced Redirect Manager 301

Advanced Redirect Manager 301

advanced-redirect-manager

A
100

Manage 301 redirects, monitor 404 errors, and fix broken links. A complete redirect manager and broken link checker for WordPress SEO.

60 No CVEs
Developer Profile

Custom 404 Pro Developer Profile

Kunal

1 plugin · 7K total installs

44
trust score
Avg Security Score
50/100
Avg Patch Time
521 days
View full developer profile
Detection Fingerprints

How We Detect Custom 404 Pro

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-404-pro/admin/css/custom-404-pro-admin.css/wp-content/plugins/custom-404-pro/admin/js/custom-404-pro-admin.js
Script Paths
/wp-content/plugins/custom-404-pro/admin/js/custom-404-pro-admin.js
Version Parameters
custom-404-pro/admin/css/custom-404-pro-admin.css?ver=custom-404-pro/admin/js/custom-404-pro-admin.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Custom 404 Pro