PatchSiren cyber security CVE debrief
CVE-2026-25470 ACPT CVE debrief
The ACPT (Pro) - Custom Post Types Plugin for WordPress has a Code Injection vulnerability, allowing remote code inclusion due to improper control of code generation. This issue affects versions from n/a through 2.0.47. Users of affected versions should apply patches or upgrade to fixed versions. The vulnerability has a critical severity score of 10 and is considered high priority due to the risk of remote code execution.
- Vendor
- ACPT
- Product
- ACPT (Pro) - Custom Post Types Plugin for WordPress
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Users of ACPT (Pro) - Custom Post Types Plugin for WordPress version 2.0.47 or earlier should apply the patch or upgrade to a fixed version. This includes operators, administrators, and security teams responsible for maintaining WordPress installations with the affected plugin. Additionally, vulnerability management teams and security professionals should be aware of this critical vulnerability and take necessary actions to mitigate the risk.
Technical summary
The ACPT (Pro) - Custom Post Types Plugin for WordPress has a Code Injection vulnerability due to improper control of code generation, allowing remote code inclusion. This issue affects versions from n/a through 2.0.47. The vulnerability has a critical severity score of 10 and is considered high priority due to the risk of remote code execution. Users of affected versions should apply patches or upgrade to fixed versions.
Defensive priority
High priority due to critical severity and remote code execution risk.
Recommended defensive actions
- Apply the patch or upgrade to a fixed version of ACPT (Pro) - Custom Post Types Plugin for WordPress
- Inventory and verify installed plugin versions
- Monitor for suspicious activity
- Implement compensating controls
- Exception tracking and retest
- Review and validate affected scope and vendor guidance
- Track exceptions and retest remediated assets
Evidence notes
Evidence from official CVE and NVD sources indicate a critical vulnerability exists in ACPT (Pro) - Custom Post Types Plugin for WordPress. The issue allows remote code inclusion due to improper control of code generation. Affected versions range from n/a through 2.0.47. Defenders should verify installed plugin versions and monitor for suspicious activity.
Official resources
-
CVE-2026-25470 CVE record
CVE.org
-
CVE-2026-25470 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:11.603Z and has not been modified since then.