{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12826", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T19:14:37.111Z", "datePublished": "2025-12-04T06:48:40.592Z", "dateUpdated": "2026-04-08T17:06:50.072Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:50.072Z"}, "affected": [{"vendor": "webdevstudios", "product": "Custom Post Type UI", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.18.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the \"cptui_process_post_type\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations."}], "title": "Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve"}, {"url": "https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "mahdi salhi"}], "timeline": [{"time": "2025-10-29T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-19T16:47:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-03T18:13:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T17:21:52.610540Z", "id": "CVE-2025-12826", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T17:22:05.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T17:21:52.610540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T17:22:00.888Z"}}], "cna": {"title": "Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification", "credits": [{"lang": "en", "type": "finder", "value": "mahdi salhi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "webdevstudios", "product": "Custom Post Type UI", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.18.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-19T16:47:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-03T18:13:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve"}, {"url": "https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9"}], "descriptions": [{"lang": "en", "value": "The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the \"cptui_process_post_type\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:50.072Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12826", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:50.072Z", "dateReserved": "2025-11-06T19:14:37.111Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-04T06:48:40.592Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the \"cptui_process_post_type\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations."}], "id": "CVE-2025-12826", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-04T07:16:14.920", "references": [{"source": "security@wordfence.com", "url": "https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:21:40.990290+00:00", "value": {"mitigation_remediation": ["Upgrade Custom Post Type UI to version 1.19.0 or later, where the authorization fix is applied.", "Restrict the capability to manage custom post types so that only administrators can add, edit, or delete them; remove this capability from non\u2011administrator roles.", "Review site logs for any unauthorized custom post type changes and restore the original configurations if necessary."], "summary": {"action": "Update plugin", "impact": "Unauthorized modification of custom post types by authenticated users"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Custom Post Type UI plugin from WebDevStudios, in any release up to and including version 1.18.0, are affected.", "description_and_impact": "The plugin fails to verify user capabilities in the cptui_process_post_type function, allowing any authenticated user with subscriber level or higher to add, edit, or delete custom post types. This authorization bypass can alter the site\u2019s custom post type definitions without proper privilege checks.", "risk_and_exploitability": "The CVSS score is 4.8, indicating moderate severity. The EPSS is less than 1%, reflecting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with at least subscriber-level access, and the flaw is exercised when the plugin\u2019s CPT management screens are accessed. No publicly disclosed exploit is mentioned in the provided data."}}}}, "created": "2025-12-04T16:43:49.991331+00:00", "updated": "2026-04-22T00:30:04.046854+00:00", "vendors": ["webdevstudios", "webdevstudios$PRODUCT$custom_post_type_ui", "wordpress", "wordpress$PRODUCT$wordpress"]}