CVE-2025-13405
📋 TL;DR
The Ace Post Type Builder WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to delete arbitrary custom taxonomies. This affects all WordPress sites using the plugin version 1.9 or earlier. Attackers can disrupt site functionality by removing important content organization structures.
💻 Affected Systems
- Ace Post Type Builder WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could systematically delete all custom taxonomies, causing content organization breakdowns, broken navigation, and requiring complete site restoration from backups.
Likely Case
Attackers delete key taxonomies, disrupting content management workflows and requiring manual recreation of taxonomies and content reclassification.
If Mitigated
With proper user access controls and monitoring, impact is limited to minor content organization issues that can be quickly restored.
🎯 Exploit Status
Exploitation requires authenticated access but only Subscriber-level permissions. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check for version after 1.9
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ace-post-type-builder/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Ace Post Type Builder plugin
4. Click 'Update Now' if update available
5. If no update available, disable or remove the plugin
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched version is available
wp plugin deactivate ace-post-type-builder
Restrict User Roles
allLimit Subscriber and other low-privilege user accounts
🧯 If You Can't Patch
- Remove or disable the Ace Post Type Builder plugin entirely
- Implement strict user access controls and monitor for suspicious taxonomy deletion activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ace Post Type Builder → Version. If version is 1.9 or lower, you are vulnerable.Check Version:
wp plugin get ace-post-type-builder --field=versionVerify Fix Applied:
After update, verify plugin version is higher than 1.9. Test with low-privilege user account that taxonomy deletion is properly restricted.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing taxonomy deletion by non-admin users
- Plugin-specific logs showing cptb_delete_custom_taxonomy calls
Network Indicators:
- POST requests to WordPress admin-ajax.php or admin-post.php with taxonomy deletion parameters
SIEM Query:
source="wordpress" AND (action="delete_taxonomy" OR message="*taxonomy*deleted*") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400
- https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve
