cleantalk
Vulnerabilities and Security Researches

Custom Post Type UI, CVE-2025-14056

CVE, Research URL

CVE-2025-14056

Home page URL

Security reports for Custom Post Type UI

Application

Custom Post Type UI

Published on
Dec 13, 2025
Research Description
The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools → Get Code page.
Affected versions
max 1.18.2.
Status
vulnerable
Previous vulnerability researches
WordPress Directory Plugin For Business Listings – WP Local Plus (6d8910c719b2a132ec93828cd37e418b19cac960) , Jun 06, 2024
New vulnerability
Magic Post Thumbnail (CVE-2023-33999) , Jun 14, 2026
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO (CVE-2023-33999) , Jun 14, 2026
Elegant Calendar Lite – WordPress Events Calendar Plugin (CVE-2023-33999) , Jun 14, 2026
WooCommerce Attribute Stock – Shared Stock & Quantity Multipliers (Lite Version) (CVE-2023-33999) , Jun 14, 2026
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss (CVE-2023-33999) , Jun 14, 2026