CVE-2025-9947: 
WordPress vulnerability analysis and mitigation

The Custom 404 Pro plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-9947) affecting all versions up to and including 3.12.0. The vulnerability was discovered on October 10, 2025, and publicly disclosed on October 11, 2025. The flaw exists in the 'path' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 4.9 (Medium). The attack vector requires an authenticated user with Administrator-level access or higher privileges. The vulnerability allows attackers to append additional SQL queries to existing database queries, potentially leading to unauthorized data extraction (Wordfence).

The successful exploitation of this vulnerability could allow authenticated attackers with administrator privileges to extract sensitive information from the WordPress database. The vulnerability primarily affects the confidentiality of the system, with no direct impact on integrity or availability (NVD).

Website administrators running the Custom 404 Pro plugin should update to a version newer than 3.12.0 when available. In the meantime, it is recommended to restrict administrator access only to trusted users and monitor for any suspicious database queries (Wordfence).