WebDevStudios Custom Post Type UI
Moderate fix1 remedy
cpe:2.3:a:webdevstudios:custom_post_type_ui:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.18.0
Custom Post Type UI Missing Authorization Vulnerability in WordPress
Vulnerability
Patched
A vulnerability exists in the Custom Post Type UI plugin for WordPress, affecting all versions up to and including 1.18.0. The issue stems from the plugin's failure to properly verify user capabilities in the 'cptui_process_post_type' function. This oversight allows authenticated attackers with subscriber-level access or higher to add, edit, or delete custom post types under certain conditions.
Impact
Exploitation of this vulnerability could lead to unauthorized modification of custom post types, allowing attackers to create, change, or remove custom post type entries.
Reproduction
To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can use the 'cptui_process_post_type' function to modify custom post types. The absence of proper authorization checks allows these users to perform actions that should be restricted.
Remediation
Users are advised to update the Custom Post Type UI plugin to version 1.18.1 or later.
Added: Dec 4, 2025, 7:20 AM
Updated: Dec 4, 2025, 7:20 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
1.3exploitability
6.4remediation
7.7relevance
1.2threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.