PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25470 ACPT CVE debrief

The ACPT (Pro) - Custom Post Types Plugin for WordPress has a Code Injection vulnerability, allowing remote code inclusion due to improper control of code generation. This issue affects versions from n/a through 2.0.47. Users of affected versions should apply patches or upgrade to fixed versions. The vulnerability has a critical severity score of 10 and is considered high priority due to the risk of remote code execution.

Vendor
ACPT
Product
ACPT (Pro) - Custom Post Types Plugin for WordPress
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of ACPT (Pro) - Custom Post Types Plugin for WordPress version 2.0.47 or earlier should apply the patch or upgrade to a fixed version. This includes operators, administrators, and security teams responsible for maintaining WordPress installations with the affected plugin. Additionally, vulnerability management teams and security professionals should be aware of this critical vulnerability and take necessary actions to mitigate the risk.

Technical summary

The ACPT (Pro) - Custom Post Types Plugin for WordPress has a Code Injection vulnerability due to improper control of code generation, allowing remote code inclusion. This issue affects versions from n/a through 2.0.47. The vulnerability has a critical severity score of 10 and is considered high priority due to the risk of remote code execution. Users of affected versions should apply patches or upgrade to fixed versions.

Defensive priority

High priority due to critical severity and remote code execution risk.

Recommended defensive actions

  • Apply the patch or upgrade to a fixed version of ACPT (Pro) - Custom Post Types Plugin for WordPress
  • Inventory and verify installed plugin versions
  • Monitor for suspicious activity
  • Implement compensating controls
  • Exception tracking and retest
  • Review and validate affected scope and vendor guidance
  • Track exceptions and retest remediated assets

Evidence notes

Evidence from official CVE and NVD sources indicate a critical vulnerability exists in ACPT (Pro) - Custom Post Types Plugin for WordPress. The issue allows remote code inclusion due to improper control of code generation. Affected versions range from n/a through 2.0.47. Defenders should verify installed plugin versions and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:11.603Z and has not been modified since then.