What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeedProd 404 Page by SeedProd allows Stored XSS. This issue affects 404 Page by SeedProd: from n/a through n/a.
Explanation of Vulnerability in Simple Terms
02Summary
A stored cross-site scripting (XSS) vulnerability exists in SeedProd's 404 Page plugin versions before 1.0.2. An authenticated administrator with high privileges can inject malicious scripts into the plugin's settings. When another user visits the affected page, the script executes in their browser, potentially allowing the attacker to steal session data or perform actions on their behalf. The vulnerability requires user interaction and affects the site's scope.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute when other users view the 404 page, stealing their session data or performing actions as them.
Potential impact on your site
04Site Impact
Administrators can unknowingly inject malicious code affecting all site visitors; update the plugin immediately to prevent stored XSS attacks.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the WordPress site and the victim must visit the affected 404 page.
Key dates
06Disclosure timeline
June 6, 2025
CVE published
April 28, 2026
Record updated