Skip to main content

ACPT Pro CVE-2026-25470

| EUVD-2026-37503 CRITICAL
Code Injection (CWE-94)
2026-06-16 Patchstack
Code Injection WordPress RCE Acpt Pro Custom Post Types Plugin For Wordpress
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

WordPress plugin code-injection reachable over HTTP with no authentication or user interaction; PHP RCE compromises the whole WordPress host beyond the plugin's security authority, justifying S:C and full C/I/A high.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:45 vuln.today
CVE Published
Jun 16, 2026 - 21:25 cve.org
CRITICAL 10.0

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion.

This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.

Articles & Coverage 1

News Critical RCE in WordPress ACPT Pro Custom Post Types Plugin - CVE-2026-25470 Jun 17, 2026

AnalysisAI

Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan WordPress sites for ACPT Pro ≤2.0.47
Delivery
Send crafted HTTP request to vulnerable plugin endpoint
Exploit
Inject attacker-controlled PHP code or include path
Install
Trigger code evaluation in WordPress PHP runtime
C2
Drop webshell under webserver user
Execute
Exfiltrate wp-config.php and database credentials
Impact
Pivot to full site and host compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of the ACPT (Pro) - Custom Post Types Plugin for WordPress, provided the plugin is installed and activated at version 2.0.47 or earlier on a network-reachable WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: CVSS 3.1 is the maximum 10.0 with AV:N/AC:L/PR:N/UI:N (remote, low complexity, no authentication, no user interaction) and a scope change (S:C) with complete C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WordPress sites running ACPT Pro (via readme.txt fingerprinting or wp-content/plugins/ path probes), then sends a crafted HTTP request to a vulnerable ACPT endpoint containing PHP code or a remote/local file path that the plugin includes or evaluates. Because no authentication or user interaction is required and complexity is low, the request yields immediate PHP execution under the webserver user, enabling webshell deployment, credential theft from wp-config.php, and pivoting to the database. …
Remediation Upstream fix availability is not independently confirmed in the supplied data - the Patchstack advisory documents the vulnerability through 2.0.47 but no fixed version is named, so administrators should consult the Patchstack entry (https://patchstack.com/database/wordpress/plugin/advanced-custom-post-type/vulnerability/wordpress-acpt-pro-custom-post-types-plugin-for-wordpress-plugin-2-0-47-remote-code-execution-rce-vulnerability) and the ACPT vendor portal for a release newer than 2.0.47 and upgrade immediately once available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all instances of ACPT (Pro) version 2.0.47 and earlier; immediately disable the plugin if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25470 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy