Vulnerabilities and security researches forcustom-post-type-ui custom-post-type-ui

Jun 06, 2024

CVE, Research URL: CVE-2023-1623
Home page URL: Security reports for Custom Post Type UI
Application: Custom Post Type UI
Date: Apr 25, 2023
Research Description: The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.
Affected versions: max 1.13.5.
Status: vulnerable

CVE, Research URL: 7e74f7f7f0951d92dcba220c4a16ed7e48d3aa75
Home page URL: Security reports for Custom Post Type UI
Application: Custom Post Type UI
Date: Mar 17, 2020
Research Description: Custom Post Type UI [custom-post-type-ui] < 1.13.5 WordPress Custom Post Type UI plugin <= 1.7.3 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered in WordPress Custom Post Type UI plugin (versions <= 1.7.3).
Affected versions: max 1.13.5.
Status: vulnerable

Aug 05, 2025

PSC, Research URL: PSC-2025-64579
Home page URL: Security reports for Custom Post Type UI
Application: Custom Post Type UI
Date: Aug 05, 2025
Research Description: Custom Post Type UI has successfully passed a comprehensive security audit and earned the Plugin Security Certification (PSC-2025-64579) from CleanTalk. This milestone confirms that the plugin adheres to the highest standards of secure coding practices, allowing users to leverage custom content types with confidence and protection.
Affected versions: Min 1.18.0, max 1.18.0.
Status: SAFE & CERTIFIED

Jan 08, 2026

CVE, Research URL: CVE-2025-12826
Home page URL: Security reports for Custom Post Type UI
Application: Custom Post Type UI
Date: Dec 04, 2025
Research Description: The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations.
Affected versions: max 1.18.1.
Status: vulnerable