CVE-2026-25470
Deferred Deferred - Pending Action
Code Injection in ACPT Custom Post Types WordPress Plugin

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-25470
EUVD
EUVD-2026-37503
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acpt custom_post_types_plugin to 2.0.47 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25470 is a critical vulnerability in the ACPT (Pro) - Custom Post Types Plugin for WordPress, specifically versions 2.0.47 and below. It is a Remote Code Execution (RCE) flaw that allows attackers to execute arbitrary code on the affected website remotely.

This vulnerability arises from improper control of code generation, also known as code injection, which enables attackers to include and run malicious code on the server hosting the WordPress site.

Exploitation does not require any privileges or user interaction, making it highly dangerous and easy to exploit.

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to gain backdoor access and full control over the affected WordPress website.

Attackers can execute arbitrary commands, potentially leading to data theft, website defacement, malware distribution, or using the compromised site as a launchpad for further attacks.

Because the vulnerability is easy to exploit without any privileges, it poses a high risk to websites regardless of their size or popularity.

Detection Guidance

There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, users are strongly advised to update the ACPT (Pro) - Custom Post Types Plugin for WordPress to a version higher than 2.0.47 as soon as an official patch is released.

Until an official fix is available, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability.

Users should also consider seeking assistance from their hosting provider or developer to implement temporary protections.

Compliance Impact

The vulnerability allows remote code execution, enabling attackers to gain backdoor access and full control over affected websites. This can lead to unauthorized access, data breaches, and potential exposure of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart