CVE-2025-14056
Stored XSS in Custom Post Type UI Plugin Allows Admin Script Injection
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | custom_post_type_ui | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Custom Post Type UI plugin for WordPress. It occurs via the 'label' parameter during the import of custom post types. Due to insufficient input sanitization and output escaping, an authenticated attacker with Administrator-level access can inject arbitrary web scripts. These scripts execute whenever a user accesses the Tools β Get Code page.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Custom Post Type UI plugin version is 1.18.1 or earlier, as these versions are vulnerable. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'label' parameter during custom post type import, detection can include checking for suspicious or unexpected script tags or payloads in the custom post type labels, especially those imported recently. There are no explicit commands provided in the resources for detection. However, administrators can review the plugin version installed in WordPress by running WP-CLI commands such as `wp plugin list` to check the version of custom-post-type-ui. Additionally, inspecting the database entries for custom post types labels for suspicious scripts may help. Since the vulnerability requires Administrator-level access to exploit, monitoring admin actions and imports related to custom post types may also help detect exploitation attempts. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Custom Post Type UI plugin to version 1.18.2 or later, where the vulnerability has been fixed by improving input sanitization and output escaping. This update addresses the Stored Cross-Site Scripting issue by properly handling the 'label' parameter during custom post type import. Until the update is applied, restrict Administrator-level access to trusted users only, and avoid importing custom post types from untrusted sources. Monitoring and auditing admin activities related to custom post types is also recommended. [1]
How can this vulnerability impact me? :
The vulnerability allows an attacker with Administrator-level access to inject malicious scripts that execute in the context of users visiting the Tools β Get Code page. This can lead to unauthorized actions such as stealing user credentials, performing actions on behalf of users, or compromising the integrity of the website.