Description
Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion.

This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of code generation, allowing attackers to inject and execute arbitrary code through the ACPT (Pro) - Custom Post Types Plugin for WordPress. This flaw enables remote code inclusion, compromising the integrity and confidentiality of the affected WordPress installation and potentially leading to full system takeover.

Affected Systems

WordPress sites that have installed the ACPT (Pro) plugin on any version up to and including 2.0.47. Each occurrence of the plugin in any content, admin, or user-facing area is vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates the highest possible severity, while the EPSS score of less than 1% suggests that the vulnerability is rarely reported or exploited in the wild at present. It is not listed in the CISA KEV catalog, yet the remote code execution nature and high base severity make it a priority target for attackers. Likely exploitation would involve sending crafted input via HTTP requests to the plugin’s endpoints or configuration interfaces, causing the server to evaluate the injected code.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ACPT (Pro) plugin to the latest release that removes the code injection flaw.
  • If an immediate update is not feasible, disable or uninstall the plugin entirely until a fix is available.
  • Restrict plugin usage and configuration to trusted administrators and block or sanitize any user-supplied input that the plugin processes.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Acpt
Acpt acpt (pro) - Custom Post Types Plugin For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Acpt
Acpt acpt (pro) - Custom Post Types Plugin For Wordpress
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.
Title WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Acpt Acpt (pro) - Custom Post Types Plugin For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:35:41.119Z

Reserved: 2026-02-02T12:53:59.642Z

Link: CVE-2026-25470

cve-icon Vulnrichment

Updated: 2026-06-17T10:35:35.375Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:16Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')