CVE-2025-23566 - Vulnerability Details

- WordPress Custom Post plugin <= 1.0 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in syedamirhussain91 Custom Post custom-post-type-gui allows Stored XSS.This issue affects Custom Post: from n/a through <= 1.0.

Published: 2025-01-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Cross‑Site Request Forgery flaw in the syedamirhussain91 Custom Post custom‑post‑type‑gui plugin allows an attacker to submit a crafted request that stores malicious JavaScript in a custom post. Because the plugin does not verify proper CSRF tokens, a logged‑in administrator or any privileged user can unknowingly save the injected script. Subsequent visitors to the affected post will execute the script in their browsers, potentially exposing session cookies, defacing the site, or facilitating further attacks.

Affected Systems

WordPress installations that use the Custom Post plugin up to and including version 1.0. The flaw is confined to this vendor’s product; no other WordPress core components or plugins are directly implicated.

Risk and Exploitability

The CVSS score of 7.1 places the vulnerability in the high‑severity range. Although the EPSS score is below 1%, indicating low current exploitation probability, the vulnerability is publicly exploitable if the site remains running the affected plugin. The lack of a KEV listing does not diminish the risk; the attack requires only the ability to craft a malicious request, which can be performed from the public internet. Once stored, the XSS runs with the context of any user who views the post, enabling theft of sensitive information or hijacking of user sessions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

syedamirhussain91

Custom Post

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Custom Post plugin to the newest release that removes the CSRF flaw.
If an update is not immediately available, limit access to the WordPress administration area (e.g., via IP whitelisting or VPN) and ensure that all incoming POST requests to the plugin’s endpoints include a valid CSRF token.
Disable or deactivate the Custom Post plugin entirely until the vendor releases a patch and no critical content relies on it.

Generated by OpenCVE AI on May 2, 2026 at 06:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3251	Cross-Site Request Forgery (CSRF) vulnerability in Syed Amir Hussain Custom Post allows Stored XSS.This issue affects Custom Post: from n/a through 1.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/custom-post-type-gui/vulnerability/wordpress-custom-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Syed Amir Hussain Custom Post allows Stored XSS.This issue affects Custom Post: from n/a through 1.0.	Cross-Site Request Forgery (CSRF) vulnerability in syedamirhussain91 Custom Post custom-post-type-gui allows Stored XSS.This issue affects Custom Post: from n/a through <= 1.0.
References	https://patchstack.com/database/wordpress/plugin/custom-post-type-gui/vulnerability/wordpress-custom-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/custom-post-type-gui/vulnerability/wordpress-custom-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 17 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Syed Amir Hussain Custom Post allows Stored XSS.This issue affects Custom Post: from n/a through 1.0.
Title		WordPress Custom Post plugin <= 1.0 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/custom-post-type-gui/vulnerability/wordpress-custom-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-16T20:06:16.862Z

Updated: 2026-04-28T16:11:13.340Z

Reserved: 2025-01-16T11:26:20.969Z

Link: CVE-2025-23566

Vulnrichment

Updated: 2025-01-17T17:21:38.236Z

NVD

Status : Deferred

Published: 2025-01-16T20:15:39.947

Modified: 2026-06-17T08:55:25.230

Link: CVE-2025-23566

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object