Description
WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors is prone to cloaking. The plugin is inserting links to websites into page content, hidden to the site owner, that would only show up when Google or another search engine crawled the site. WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors version 2.2.9 is affected; prior versions may also be affected.
Remediation
Update to plugin version 2.3.0 or latest
References
https://www.wordfence.com/blog/2016/08/404-301-plugin-considered-harmful/
https://wordpress.org/support/topic/cloaking-seriously
https://www.wordfence.com/blog/2016/08/will-always-put-customers-community-first/
Related Vulnerabilities
WordPress Plugin Bitcoin/Altcoin Faucet Cross-Site Request Forgery (1.6.0)
WordPress Plugin Google XML Sitemaps Cross-Site Scripting (4.0.8)
WordPress Plugin Affiliate Press Multiple Cross-Site Scripting Vulnerabilities (0.3.8)
Apache Tomcat WAR file directory traversal vulnerability
WordPress Plugin Calculated Fields Form Cross-Site Scripting (1.0.353)