Plattform
wordpress
Komponente
custom-post-type
Behoben in
1.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Custom Post Type plugin for WordPress. This flaw, affecting versions 1.0.0 through 1.0, allows unauthenticated attackers to delete custom post types by tricking a site administrator into performing a forged action. While the impact is limited to custom post type deletion, it can disrupt site functionality and data integrity. A fix is pending release from the plugin developer.
The primary impact of this CSRF vulnerability is the unauthorized deletion of custom post types. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, triggers the deletion of custom post types. This can lead to data loss, broken site functionality, and a degraded user experience. While direct data exfiltration isn't possible through this vulnerability, it could be chained with other attacks to gain further access or control over the WordPress site. The blast radius is limited to the specific WordPress instance running the vulnerable plugin and its associated custom post types.
This vulnerability was publicly disclosed on 2025-11-21. Currently, there are no known public proof-of-concept exploits available. The EPSS score is likely to be low to medium, given the requirement for administrator interaction and the limited impact. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Custom Post Type plugin are at risk, particularly those with shared hosting environments or where administrator access is not strictly controlled. Sites relying heavily on custom post types for core functionality are also at higher risk, as the deletion of these post types could significantly disrupt site operations.
• wordpress / composer / npm:
grep -r "wp_delete_custom_post_type" /var/www/html/wp-content/plugins/custom-post-type/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=custom_post_type_delete&post_type=your_custom_post_type | grep -i '200 ok'disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
Until a patched version of the Custom Post Type plugin is released, several mitigation steps can be taken. First, restrict access to the WordPress admin panel to only authorized personnel. Implement strict URL filtering on your web server to block suspicious requests. Consider using a WordPress security plugin with CSRF protection features. Additionally, carefully review any links or forms received via email or other channels before clicking or submitting them. After a patched version is available, upgrade the plugin immediately and verify that custom post types are intact by listing them within the WordPress admin interface.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13142 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Custom Post Type plugin for WordPress versions 1.0.0–1.0, allowing attackers to delete custom post types.
If you are using the Custom Post Type plugin for WordPress in versions 1.0.0 through 1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Custom Post Type plugin when available. Until then, restrict admin access and implement URL filtering.
As of now, there are no confirmed reports of active exploitation of CVE-2025-13142, but it is recommended to apply mitigations proactively.
Check the plugin developer's website or WordPress.org plugin page for updates and advisories related to CVE-2025-13142.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.