The Custom Post Type UI plugin for WordPress is vulnerable to stored cross‑site scripting through the "label" parameter used during custom post type import. Because the plugin does not sanitize or escape this input, an authenticated user with Administrator privileges can inject arbitrary JavaScript that will be executed whenever a site visitor opens the Tools → Get Code page. This flaw allows an attacker to run client‑side code in the victim’s browser, potentially leading to credential compromise, defacement, or further malicious activity.

The vulnerability affects all releases of the Custom Post Type UI WordPress plugin up to and including version 1.18.1. Any WordPress installation employing this plugin without a later patch is at risk.

The CVSS score of 4.4 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog and requires an authenticated Administrator to perform the injection. Because the malicious code is stored and only executed when a user accesses a specific plugin page, the risk is primarily to users who trigger that page after an administrator has imported a malicious label. Overall, the threat is moderate but present for sites still running the affected plugin version.