Impact
The vulnerability arises from improper control of code generation, allowing attackers to inject and execute arbitrary code through the ACPT (Pro) - Custom Post Types Plugin for WordPress. This flaw enables remote code inclusion, compromising the integrity and confidentiality of the affected WordPress installation and potentially leading to full system takeover.
Affected Systems
WordPress sites that have installed the ACPT (Pro) plugin on any version up to and including 2.0.47. Each occurrence of the plugin in any content, admin, or user-facing area is vulnerable.
Risk and Exploitability
The CVSS score of 10 indicates the highest possible severity, while the EPSS score of less than 1% suggests that the vulnerability is rarely reported or exploited in the wild at present. It is not listed in the CISA KEV catalog, yet the remote code execution nature and high base severity make it a priority target for attackers. Likely exploitation would involve sending crafted input via HTTP requests to the plugin’s endpoints or configuration interfaces, causing the server to evaluate the injected code.
OpenCVE Enrichment