Description
The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations.
Published: 2025-12-04
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of custom post types by authenticated users
Action: Update plugin
AI Analysis

Impact

The plugin fails to verify user capabilities in the cptui_process_post_type function, allowing any authenticated user with subscriber level or higher to add, edit, or delete custom post types. This authorization bypass can alter the site’s custom post type definitions without proper privilege checks.

Affected Systems

WordPress sites running the Custom Post Type UI plugin from WebDevStudios, in any release up to and including version 1.18.0, are affected.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. The EPSS is less than 1%, reflecting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with at least subscriber-level access, and the flaw is exercised when the plugin’s CPT management screens are accessed. No publicly disclosed exploit is mentioned in the provided data.

Generated by OpenCVE AI on April 22, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Custom Post Type UI to version 1.19.0 or later, where the authorization fix is applied.
  • Restrict the capability to manage custom post types so that only administrators can add, edit, or delete them; remove this capability from non‑administrator roles.
  • Review site logs for any unauthorized custom post type changes and restore the original configurations if necessary.

Generated by OpenCVE AI on April 22, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Webdevstudios
Webdevstudios custom Post Type Ui
Wordpress
Wordpress wordpress
Vendors & Products Webdevstudios
Webdevstudios custom Post Type Ui
Wordpress
Wordpress wordpress

Thu, 04 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations.
Title Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Webdevstudios Custom Post Type Ui
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:50.072Z

Reserved: 2025-11-06T19:14:37.111Z

Link: CVE-2025-12826

cve-icon Vulnrichment

Updated: 2025-12-05T17:22:00.888Z

cve-icon NVD

Status : Deferred

Published: 2025-12-04T07:16:14.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses