CVE-2025-12826
📋 TL;DR
The Custom Post Type UI WordPress plugin has an authorization bypass vulnerability that allows authenticated users with subscriber-level access or higher to add, edit, or delete custom post types in limited situations. This affects all versions up to and including 1.18.0. WordPress sites using this plugin are vulnerable.
💻 Affected Systems
- Custom Post Type UI WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate custom post types to create malicious content, disrupt site functionality, or escalate privileges through crafted post types.
Likely Case
Subscriber-level users could modify custom post type configurations, potentially breaking site features or creating unauthorized content types.
If Mitigated
With proper user role management and monitoring, impact is limited to minor configuration changes by low-privilege users.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is in the cptui_process_post_type function where capability checks are missing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.18.1
Vendor Advisory: https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Custom Post Type UI' and click 'Update Now'. 4. Verify version is 1.18.1 or higher.
🔧 Temporary Workarounds
Temporary plugin deactivation
allDisable the Custom Post Type UI plugin until patched
wp plugin deactivate custom-post-type-ui
Restrict user roles
allTemporarily limit subscriber-level user access or remove unnecessary accounts
🧯 If You Can't Patch
- Remove or restrict subscriber-level user accounts to minimize attack surface
- Implement web application firewall rules to monitor for suspicious post type modification requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Custom Post Type UI version. If version is 1.18.0 or lower, you are vulnerable.Check Version:
wp plugin get custom-post-type-ui --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.18.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with cptui_process_post_type action
- User role changes or unexpected custom post type modifications in WordPress logs
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=cptui_process_post_type from low-privilege user accounts
SIEM Query:
source="wordpress.log" AND "cptui_process_post_type" AND (user_role="subscriber" OR user_role="contributor")