プラットフォーム
wordpress
コンポーネント
custom-post-type
修正版
1.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Custom Post Type plugin for WordPress. This flaw, affecting versions 1.0.0 through 1.0, allows unauthenticated attackers to delete custom post types by tricking a site administrator into performing a forged action. While the impact is limited to custom post type deletion, it can disrupt site functionality and data integrity. A fix is pending release from the plugin developer.
The primary impact of this CSRF vulnerability is the unauthorized deletion of custom post types. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, triggers the deletion of custom post types. This can lead to data loss, broken site functionality, and a degraded user experience. While direct data exfiltration isn't possible through this vulnerability, it could be chained with other attacks to gain further access or control over the WordPress site. The blast radius is limited to the specific WordPress instance running the vulnerable plugin and its associated custom post types.
This vulnerability was publicly disclosed on 2025-11-21. Currently, there are no known public proof-of-concept exploits available. The EPSS score is likely to be low to medium, given the requirement for administrator interaction and the limited impact. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Custom Post Type plugin are at risk, particularly those with shared hosting environments or where administrator access is not strictly controlled. Sites relying heavily on custom post types for core functionality are also at higher risk, as the deletion of these post types could significantly disrupt site operations.
• wordpress / composer / npm:
grep -r "wp_delete_custom_post_type" /var/www/html/wp-content/plugins/custom-post-type/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=custom_post_type_delete&post_type=your_custom_post_type | grep -i '200 ok'disclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
Until a patched version of the Custom Post Type plugin is released, several mitigation steps can be taken. First, restrict access to the WordPress admin panel to only authorized personnel. Implement strict URL filtering on your web server to block suspicious requests. Consider using a WordPress security plugin with CSRF protection features. Additionally, carefully review any links or forms received via email or other channels before clicking or submitting them. After a patched version is available, upgrade the plugin immediately and verify that custom post types are intact by listing them within the WordPress admin interface.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13142 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Custom Post Type plugin for WordPress versions 1.0.0–1.0, allowing attackers to delete custom post types.
If you are using the Custom Post Type plugin for WordPress in versions 1.0.0 through 1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Custom Post Type plugin when available. Until then, restrict admin access and implement URL filtering.
As of now, there are no confirmed reports of active exploitation of CVE-2025-13142, but it is recommended to apply mitigations proactively.
Check the plugin developer's website or WordPress.org plugin page for updates and advisories related to CVE-2025-13142.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。