cleantalk
Vulnerabilities and Security Researches

Custom Post Type, CVE-2025-13142

CVE, Research URL

CVE-2025-13142

Home page URL

Security reports for Custom Post Type

Application

Custom Post Type

Published on
Nov 21, 2025
Research Description
The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.0.
Status
vulnerable
Previous vulnerability researches
TT Custom Post Type Creator (CVE-2024-34430) , Jun 07, 2024
Custom Post Type Lockdown WordPress (CVE-2025-23530) , Jan 18, 2025
Custom post type templates for Elementor (CVE-2024-51683) , Nov 05, 2024
Custom Post Type List Shortcode (CVE-2023-0542) , Jun 07, 2024
Custom Post Type (CVE-2025-13142) , Dec 10, 2025
New vulnerability
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form (CVE-2026-25418) , Feb 28, 2026
Image Photo Gallery Final Tiles Grid (CVE-2026-25375) , Feb 28, 2026
Share This Image (CVE-2026-25010) , Feb 28, 2026
Bold Page Builder (CVE-2026-25451) , Feb 28, 2026
Bold Page Builder (CVE-2025-13463) , Feb 28, 2026