Description
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSRF to change plugin settings
Action: Patch
AI Analysis

Impact

The Remove Post Type Slug plugin validates nonces with a logical OR instead of AND, so a request with an empty nonce field or a failed nonce check passes validation. This flaw allows an unauthenticated attacker to trick a logged‑in administrator into clicking a crafted link, causing the plugin’s post type slug removal settings to be altered without authorization. The vulnerability affects the integrity and availability of site configuration, potentially disrupting content handling for the affected WordPress installation.

Affected Systems

The vulnerability is present in the WordPress plugin Remove Post Type Slug versions up to and including 1.0.2, distributed by akshayshah5189. WordPress sites that employ this plugin and have an administrator with network access are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit this vulnerability by posing as a trustworthy link to a site administrator, leveraging the plugin’s flawed nonce logic to modify settings after a single forged request.

Generated by OpenCVE AI on April 21, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Remove Post Type Slug plugin to a version newer than 1.0.2
  • Ensure that only trusted, properly authenticated administrators can access WordPress admin area and enable two‑factor authentication
  • Implement additional server‑side nonce checks or disable the plugin if it is no longer required

Generated by OpenCVE AI on April 21, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Akshayshah5189
Akshayshah5189 remove Post Type Slug
Wordpress
Wordpress wordpress
Vendors & Products Akshayshah5189
Akshayshah5189 remove Post Type Slug
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Akshayshah5189 Remove Post Type Slug
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:38.322Z

Reserved: 2025-12-05T21:23:32.778Z

Link: CVE-2025-14167

cve-icon Vulnrichment

Updated: 2026-02-24T01:32:43.008Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:34.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses