How is CVE-2026-25470 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the exposed WordPress instance to trigger the injection. Authentication (not-required): No account or credential of any privilege level is needed to reach the vulnerable code path. Victim interaction (not-required): Exploitation is fully server-side; no user action such as clicking a link or opening a file is required. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions, memory layout dependencies, or other environmental factors required.

What is the impact of CVE-2026-25470?

Attacker executes arbitrary server-side code, enabling full remote control of the WordPress host process. All data stored in the WordPress database (posts, user credentials, session tokens, private metadata) is readable and exfiltrable. Attacker can modify or delete any persisted content, plugin files, theme files, or database records on the server. Because the CVSS scope is changed, impact can extend to other services or tenants sharing the same host or container environment, including potential lateral movement.

Back to search

CRITICALCVE-2026-25470Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-25470: WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-25470?

A code injection vulnerability in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows an unauthenticated remote attacker to inject and execute arbitrary code on the host server. The vulnerability is reachable over the network with no authentication required and no victim interaction needed, and the CVSS scope is changed, meaning impact extends beyond the vulnerable component itself. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the server. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-25470 patched?

No fix version has been published by the upstream maintainer as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A code injection vulnerability in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows an unauthenticated remote attacker to inject and execute arbitrary code on the host server. The vulnerability is reachable over the network with no authentication required and no victim interaction needed, and the CVSS scope is changed, meaning impact extends beyond the vulnerable component itself. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the server. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-25470 is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the ACPT or ACPT Pro plugin. Coverage applies to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and surfaces it with that severity in each customer's finding queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or escalation channel configured for critical-severity issues within each customer org.

Available

Patch

No fix version has been published by the upstream maintainer as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends a crafted HTTP request to the exposed WordPress instance to trigger the injection.
AuthenticationNot required
No account or credential of any privilege level is needed to reach the vulnerable code path.
Victim interactionNot required
Exploitation is fully server-side; no user action such as clicking a link or opening a file is required.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions, memory layout dependencies, or other environmental factors required.

Blast Radius

Attacker executes arbitrary server-side code, enabling full remote control of the WordPress host process.
All data stored in the WordPress database (posts, user credentials, session tokens, private metadata) is readable and exfiltrable.
Attacker can modify or delete any persisted content, plugin files, theme files, or database records on the server.
Because the CVSS scope is changed, impact can extend to other services or tenants sharing the same host or container environment, including potential lateral movement.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-25470 is a zero-day with no upstream patch published as of the CVE publication date, so the remediation posture is compensating-control-focused until a fix ships. HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is confirmed; customers with auto-remediation enabled will receive that rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, network-policy isolation of WordPress containers is advisable: restrict inbound access to the ACPT plugin's endpoints via ingress rules or a WAF rule blocking the relevant request patterns, and apply egress filtering to prevent outbound callbacks from an already-compromised container. Where compliance policy permits, consider feature-flag gating or disabling the ACPT Pro plugin entirely on images that do not require it in production, reducing the exposed attack surface until the upstream maintainer publishes a fix.

See how HarborGuard automates this

Affected packages

ACPT / ACPT (Pro) - Custom Post Types Plugin for WordPress
≤ 2.0.47

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified