The changelog for the latest version of the WordPress plugin 404 to 301 is:

Security checks and improvements.

As at least one of our customers is using the plugin, we checked over the changes being made to determine if there was a vulnerability being fixed.

What we found was the developer was adding escaping to the output of the add_query_arg() function in a couple of locations. Here is how the first instance of that looked before:

478

<a href="<?php echo add_query_arg( 'jj4t3_rating', 'later' ); // later. ?>"><?php esc_html_e( 'Nope, maybe later', '404-to-301' ); ?></a>

And after:

478

<a href="<?php echo esc_url( add_query_arg( 'jj4t3_rating', 'later' ) ); // later. ?>"><?php esc_html_e( 'Nope, maybe later', '404-to-301' ); ?></a>

Without that escaping, the URL being requested is output unescaped, which the proof of concept below confirms, permits reflected cross-site scripting (XSS) to occur.

We have updated our Plugin Security Checker to flag code similar to this.

Proof of Concept

The following proof of concept will cause the number 1 to be shown in an alert box, when logged in to WordPress. In Safari and other web browsers that provide XSS filtering this proof of concept will not work.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=jj4t3-settings&"><script>alert(1);</script>