Platform
wordpress
Component
custom-post-type
Fixed in
1.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Custom Post Type plugin for WordPress. This flaw, affecting versions 1.0.0 through 1.0, allows unauthenticated attackers to delete custom post types by tricking a site administrator into performing a forged action. While the impact is limited to custom post type deletion, it can disrupt site functionality and data integrity. A fix is pending release from the plugin developer.
The primary impact of this CSRF vulnerability is the unauthorized deletion of custom post types. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, triggers the deletion of custom post types. This can lead to data loss, broken site functionality, and a degraded user experience. While direct data exfiltration isn't possible through this vulnerability, it could be chained with other attacks to gain further access or control over the WordPress site. The blast radius is limited to the specific WordPress instance running the vulnerable plugin and its associated custom post types.
This vulnerability was publicly disclosed on 2025-11-21. Currently, there are no known public proof-of-concept exploits available. The EPSS score is likely to be low to medium, given the requirement for administrator interaction and the limited impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
Until a patched version of the Custom Post Type plugin is released, several mitigation steps can be taken. First, restrict access to the WordPress admin panel to only authorized personnel. Implement strict URL filtering on your web server to block suspicious requests. Consider using a WordPress security plugin with CSRF protection features. Additionally, carefully review any links or forms received via email or other channels before clicking or submitting them. After a patched version is available, upgrade the plugin immediately and verify that custom post types are intact by listing them within the WordPress admin interface.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13142 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Custom Post Type plugin for WordPress versions 1.0.0–1.0, allowing attackers to delete custom post types.
If you are using the Custom Post Type plugin for WordPress in versions 1.0.0 through 1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Custom Post Type plugin when available. Until then, restrict admin access and implement URL filtering.
As of now, there are no confirmed reports of active exploitation of CVE-2025-13142, but it is recommended to apply mitigations proactively.
Check the plugin developer's website or WordPress.org plugin page for updates and advisories related to CVE-2025-13142.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.