{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13405", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:06:15.303Z", "datePublished": "2025-11-25T07:28:25.203Z", "dateUpdated": "2026-04-08T17:17:11.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:11.007Z"}, "affected": [{"vendor": "buywptemplates", "product": "Ace Post Type Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies."}], "title": "Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400"}, {"url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400"}, {"url": "https://plugins.trac.wordpress.org/changeset/3412781/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-24T19:07:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:35:38.556754Z", "id": "CVE-2025-13405", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:35:52.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13405", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:35:38.556754Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:35:47.304Z"}}], "cna": {"title": "Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "buywptemplates", "product": "Ace Post Type Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:07:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400"}, {"url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400"}, {"url": "https://plugins.trac.wordpress.org/changeset/3412781/"}], "descriptions": [{"lang": "en", "value": "The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:11.007Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13405", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:11.007Z", "dateReserved": "2025-11-19T14:06:15.303Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:25.203Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies."}], "id": "CVE-2025-13405", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:51.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3412781/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:20:05.764569+00:00", "value": {"mitigation_remediation": ["Update the Ace Post Type Builder plugin to the latest version that includes the missing authorization check.", "If an update is unavailable, block or filter the cptb_delete_taxonomy action (e.g., via a WAF rule that rejects requests containing the 'taxonomy' parameter for non\u2011admin roles).", "Review Subscriber accounts and consider revoking the role or adding stronger role\u2011based restrictions until the plugin is patched."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Taxonomy Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Ace Post Type Builder version 1.9 and earlier, distributed by buywptemplates. Any WordPress site running those versions is vulnerable, regardless of the number of users or company size, because the flaw is present in the core plugin code and not mitigated by additional settings.", "description_and_impact": "The Ace Post Type Builder plugin contains a missing authorization check in the cptb_delete_custom_taxonomy() function, which allows any authenticated user with at least Subscriber privileges to delete arbitrary custom taxonomies. This flaw violates the Missing Authorization principle (CWE-862) and can lead to loss of taxonomy definitions, compromising content categorization and potentially rendering the site dysfunctional. The impact is a loss of data integrity for the affected taxonomy and any content that relies on it, although it does not provide direct code execution or disclosure of sensitive data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and can exploit the flaw by sending a request to the taxonomy deletion endpoint using the 'taxonomy' parameter. No additional privileges beyond Subscriber are required, so the attack path is straightforward once the attacker has a valid user session."}}}}, "created": "2025-12-01T15:19:22.297259+00:00", "updated": "2026-04-21T01:30:24.388736+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}