Plateforme
wordpress
Composant
advanced-custom-post-type
Corrigé dans
2.0.48
CVE-2026-25470 describes a critical Remote Code Execution (RCE) vulnerability discovered in the Advanced Custom Post Type plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 2.0.47. A patch is available from the plugin developer.
The impact of this RCE vulnerability is severe. An attacker could leverage it to gain complete control over the WordPress server hosting the vulnerable plugin. This includes the ability to install malware, steal sensitive data (user credentials, database information, customer data), modify website content, and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers, from opportunistic threat actors to sophisticated cybercriminals. Successful exploitation could lead to data breaches, defacement of the website, and disruption of services.
CVE-2026-25470 was publicly disclosed on 2026-03-16. While no public exploits have been confirmed at the time of writing, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. The lack of authentication makes this a high-priority target for automated scanning and exploitation tools.
Websites using the Advanced Custom Post Type plugin, particularly those running older, unpatched versions (≤2.0.47), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Sites with weak WordPress security practices, such as default user credentials or outdated WordPress core versions, are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep advanced-custom-post-type• wordpress / composer / npm:
wp plugin update advanced-custom-post-type --all• wordpress / composer / npm:
grep -r 'advanced-custom-post-type' /var/log/apache2/access.log | grep -i 'POST'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=advanced_custom_post_type_some_vulnerable_functiondisclosure
Statut de l'Exploit
Vecteur CVSS
The primary mitigation for CVE-2026-25470 is to immediately upgrade the Advanced Custom Post Type plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block suspicious code execution attempts targeting the plugin's endpoints can provide an additional layer of defense. Monitor WordPress access logs for unusual activity, particularly requests originating from unknown IP addresses or containing suspicious payloads. Review plugin configurations for any unnecessary permissions or exposed functionality.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25470 is a critical Remote Code Execution vulnerability affecting the Advanced Custom Post Type plugin for WordPress versions up to 2.0.47, allowing attackers to execute code on the server.
You are affected if you are using the Advanced Custom Post Type plugin version 2.0.47 or earlier. Check your plugin version and update immediately.
Upgrade the Advanced Custom Post Type plugin to the latest available version, which contains the fix for this vulnerability. If upgrading is not possible, disable the plugin temporarily.
While no confirmed exploitation has been publicly reported, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and updated version.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.