Description
WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors is prone to cloaking. The plugin is inserting links to websites into page content, hidden to the site owner, that would only show up when Google or another search engine crawled the site. WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors version 2.2.9 is affected; prior versions may also be affected.
Remediation
Update to plugin version 2.3.0 or latest
References
https://www.wordfence.com/blog/2016/08/404-301-plugin-considered-harmful/
https://wordpress.org/support/topic/cloaking-seriously
https://www.wordfence.com/blog/2016/08/will-always-put-customers-community-first/
Related Vulnerabilities
WordPress Plugin AdRotate-Ad manager & AdSense Ads SQL Injection (5.8.3.1)
PleskLin Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4878)
ownCloud Improper Privilege Management Vulnerability (CVE-2021-35946)
WordPress Plugin WP GDPR Compliance Cross-Site Scripting (1.5.5)
WordPress Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2014-6412)