The Custom 404 Pro plugin for WordPress, developed by kunalnagar, suffers from a time-based SQL Injection vulnerability identified as CVE-2025-9947. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically through the 'path' parameter. The plugin fails to sufficiently escape user-supplied input and does not use prepared statements, allowing an attacker with administrator privileges to append malicious SQL queries to existing database queries. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and no user interaction (UI:N). The impact primarily compromises confidentiality by enabling unauthorized extraction of sensitive data from the database. The vulnerability affects all versions up to and including 3.12.0 of the plugin. Although no public exploits have been reported yet, the vulnerability is published and rated with a CVSS 3.1 base score of 4.9 (medium severity). The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other system components. The vulnerability does not affect data integrity or availability, limiting the attacker's capabilities to data disclosure. The plugin is commonly used in WordPress environments to customize 404 error pages, and the exploitation requires authenticated administrator access, which limits the attack surface but still poses a significant risk if credentials are compromised or insider threats exist.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored in WordPress databases, including potentially personal data protected under GDPR. Organizations relying on the Custom 404 Pro plugin for their WordPress sites could face data breaches if attackers gain administrator access and exploit this SQL injection flaw. While the vulnerability does not allow data modification or service disruption, the exposure of confidential data can lead to reputational damage, regulatory fines, and loss of customer trust. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the impact could be significant if not addressed. Additionally, the requirement for administrator privileges means that compromised credentials or insider threats are the primary risk vectors, emphasizing the need for strong access controls. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

European organizations should immediately audit their WordPress installations to identify the presence of the Custom 404 Pro plugin and verify the version in use. If the plugin is installed, upgrading to a patched version once available is the most effective mitigation. In the absence of an official patch, organizations should consider disabling or uninstalling the plugin to eliminate the attack vector. Implement strict administrator access controls, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Regularly monitor administrator account activity and audit logs for suspicious behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous SQL injection attempts targeting the 'path' parameter. Additionally, conduct periodic security assessments and penetration testing focused on WordPress plugins. Backup databases regularly and ensure backups are securely stored to mitigate potential data loss from other attack vectors. Finally, educate administrators on secure plugin management and the risks of privilege misuse.