Threat Entry Updated 2025-12-15

CVE-2025-14056 - Custom Post Type Ui Plugin

The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools → Get Code page.

PLUGIN Custom Post Type Ui

CVE-2025-14056

MEDIUM CVSS 4.4 2025-12-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-04

CVE-2025-12826 - Custom Post Type Ui Plugin

The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations.

PLUGIN Custom Post Type Ui

CVE-2025-12826

MEDIUM CVSS 4.8 2025-12-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-04

CVE-2023-1623 - Custom Post Type Ui Plugin

The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.

PLUGIN Custom Post Type Ui

CVE-2023-1623

MEDIUM CVSS 6.5 2023-04-24

Risk Score

Open Full Technical Breakdown