CVE-2025-14056
Custom Post Type UI <= 1.18.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'label' Import Parameter
CVSS Score
4.4
EPSS Score
0.0%
EPSS Percentile
0th
The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools โ Get Code page.
| CWE | CWE-79 |
| Vendor | webdevstudios |
| Product | custom post type ui |
| Published | Dec 13, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for webdevstudios custom post type ui
Be the first to know when new medium vulnerabilities affecting webdevstudios custom post type ui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
webdevstudios / Custom Post Type UI
0 โค 1.18.1
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/890c743e-da5e-46ed-a011-cecd24778163?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/custom-post-type-ui/trunk/inc/tools-sections/tools-post-types.php#L201 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/custom-post-type-ui/tags/1.18.1/inc/tools-sections/tools-post-types.php#L201 github.com: https://github.com/WebDevStudios/custom-post-type-ui/pull/1014/files#diff-bd3331205024f12a78d74b312bc4f5ad118b5734999bf53a4a95e0959891f60a
Credits
M Indra Purnama