{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13142", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T18:55:14.976Z", "datePublished": "2025-11-21T07:31:50.691Z", "dateUpdated": "2026-04-08T16:50:22.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:22.015Z"}, "affected": [{"vendor": "farvehandleren", "product": "Custom Post Type", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-11-20T19:22:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T16:49:13.988995Z", "id": "CVE-2025-13142", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:06:36.988Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T16:49:13.988995Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T16:50:59.874Z"}}], "cna": {"title": "Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "farvehandleren", "product": "Custom Post Type", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:22:49.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29"}], "descriptions": [{"lang": "en", "value": "The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T07:31:50.691Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13142", "state": "PUBLISHED", "dateUpdated": "2025-11-24T18:06:36.988Z", "dateReserved": "2025-11-13T18:55:14.976Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:50.691Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-13142", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:55.097", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:08:15.824084+00:00", "value": {"mitigation_remediation": ["Upgrade the Custom Post Type plugin to a corrected version that implements nonce validation for deletion (if an updated release is available).", "If no updated version exists, modify the plugin code to include a nonce field in the deletion URL and verify it server\u2011side before allowing the delete action.", "Restrict the deletion capability to administrators only and consider disabling the delete function entirely if not required for the site\u2019s operation.", "Implement monitoring of admin activity to detect unusual deletion requests and log such events for auditability."], "summary": {"action": "Apply Patch", "impact": "Unauthorized deletion of custom post types"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Custom Post Type WordPress plugin from the vendor farvehandleren, versions 1.0 and earlier. Any user running these versions is susceptible, independent of the overall WordPress installation.", "description_and_impact": "The Custom Post Type plugin for WordPress does not validate a nonce on delete requests, enabling a Cross\u2011Site Request Forgery attack. An attacker can craft a URL that, when visited by a logged\u2011in administrator, results in the deletion of one or more custom post types, directly impacting the integrity and availability of the site and potentially turning it into a denial\u2011of\u2011service vector.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a low severity overall, and the EPSS score is below 1\u202f%, suggesting that exploitation is unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to convince an administrator to click a forged link or otherwise execute the deletion request; therefore, the attack vector is highly user\u2011dependent. Although no active exploitation has been reported, the potential impact on data integrity warrants prompt remediation."}}}}, "created": "2025-11-24T09:09:58.018587+00:00", "updated": "2026-04-21T18:15:36.369573+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}