{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1510", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T19:17:14.506Z", "datePublished": "2025-02-22T03:21:00.228Z", "dateUpdated": "2026-04-08T17:10:51.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:51.937Z"}, "affected": [{"vendor": "keesiemeijer", "product": "Custom Post Type Date Archives", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Custom Post Type Date Archives plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "Custom Post Type Date Archives <= 2.7.1 - Missing Authorization to Unauthenticated Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996ade9c-2531-4f43-87f6-eddb2ce98a12?source=cve"}, {"url": "https://wordpress.org/plugins/custom-post-type-date-archives/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-02-21T15:00:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-22T15:27:14.096577Z", "id": "CVE-2025-1510", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-22T15:27:34.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1510", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-22T15:27:14.096577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-22T15:27:30.436Z"}}], "cna": {"title": "Custom Post Type Date Archives <= 2.7.1 - Missing Authorization to Unauthenticated Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "keesiemeijer", "product": "Custom Post Type Date Archives", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-21T15:00:41.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996ade9c-2531-4f43-87f6-eddb2ce98a12?source=cve"}, {"url": "https://wordpress.org/plugins/custom-post-type-date-archives/"}], "descriptions": [{"lang": "en", "value": "The The Custom Post Type Date Archives plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-02-22T03:21:00.228Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1510", "state": "PUBLISHED", "dateUpdated": "2025-02-22T15:27:34.620Z", "dateReserved": "2025-02-20T19:17:14.506Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-22T03:21:00.228Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Custom Post Type Date Archives plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "id": "CVE-2025-1510", "lastModified": "2025-02-22T04:15:10.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-22T04:15:10.040", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/custom-post-type-date-archives/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996ade9c-2531-4f43-87f6-eddb2ce98a12?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:18:43.793031+00:00", "value": {"mitigation_remediation": ["Upgrade Custom Post Type Date Archives to version 2.7.2 or later to apply the vendor\u2019s fix", "If an upgrade is not immediately possible, deactivate or uninstall the plugin to prevent the vulnerable code from executing", "As a temporary measure, restrict or disable the use of `do_shortcode` in the theme or use a plugin that sanitizes user\u2011supplied shortcodes before execution"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Custom Post Type Date Archives, released by keesiemeijer, in all versions up to and including 2.7.1. Administrators running any of these plugin releases should be aware that the plugin\u2019s version does not contain the necessary authorization checks to limit shortcode execution to trusted users.", "description_and_impact": "The Custom Post Type Date Archives plugin allows execution of any shortcode supplied by a user without validating the source or ensuring that the user has proper privileges. This flaw is a form of code injection that lets an unauthenticated adversary insert malicious shortcodes which may be processed by WordPress\u2019s `do_shortcode` function, potentially allowing the attacker to run arbitrary code or commands. The resulting breach could compromise the confidentiality, integrity, and availability of the site, and may ultimately provide full control over the web application.", "risk_and_exploitability": "With a CVSS score of 7.3 the flaw is considered high severity, yet the EPSS score is listed as less than 1%, indicating a very low probability of exploitation at the moment. The vulnerability is not present in the CISA KEV catalog, which further suggests that there are no widely documented exploits. The attack vector is inferred to be unauthenticated remote, likely via a crafted HTTP request or by embedding a malicious shortcode in a page or post that the plugin parses, because the plugin fails to enforce user permissions before calling `do_shortcode`. While this chain of exploitation is viable, the low EPSS score reflects the relative novelty or low market interest in this particular vector. Nonetheless, the potential impact warrants prompt action to eliminate the risk."}}}}, "created": "2025-07-12T22:15:39.069303+00:00", "updated": "2026-04-21T22:30:06.129585+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}