External risk intelligence

WordPress ACPT Plugin Code Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-25470

A critical code injection vulnerability exists in a WordPress plugin that creates custom post types, potentially allowing remote code inclusion. If reachable, an attacker could execute arbitrary code on the server, impacting site integrity and data. Confirmation of the plugin's usage and its internet accessibility with

Code Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin which is typically used to extend the functionality of public-facing websites. As a component of a web application, it is commonly deployed in environments reachable via the internet, making the vulnerable code path accessible to remote users.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a WordPress plugin that allows for the creation of custom post types. This flaw could potentially enable unauthorized remote code execution, meaning an attacker could run their own code on affected systems. The primary concern is to confirm if this plugin is in use within our environment and, if so, to what extent.

  • Attackers can run code remotely.
  • Confirm if this plugin is in use.
  • Assess relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site utilizing the ACPT Pro plugin. This request would target the plugin's code generation feature, potentially leading to the inclusion of arbitrary remote code. If successful, this could allow an attacker to execute commands on the server, compromise data, or deface the website.

  • No authentication required.
  • Triggered via crafted requests.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the server, potentially leading to the inclusion of malicious code on the affected WordPress site when supported by the advisory.

  • Server-side code execution.
  • Remote code inclusion via network.
  • Compromised site integrity and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in a WordPress plugin requires immediate attention from teams managing public-facing web applications. The first step is to inventory all WordPress sites using the ACPT Pro plugin, identify which are internet-accessible, and confirm their business criticality. Subsequently, the accountable owner of each identified instance should be engaged to plan and execute remediation based on the assessed risk.

  • WordPress site owners/administrators.
  • Verify plugin usage and internet exposure.
  • Coordinate vendor updates and risk mitigation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-25470 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in the WordPress ACPT plugin allows remote code inclusion, which could lead to a scan failure due to a code injection flaw.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the ACPT Pro plugin for WordPress?

ACPT (Pro) - Custom Post Types is a WordPress plugin designed to help site administrators create and manage custom content structures. It extends core WordPress functionality by allowing users to define unique post types, taxonomies, and meta fields without writing manual code. It is often installed to streamline site organization and content management workflows.

What does Code Injection mean for CVE-2026-25470?

This vulnerability, classified as CWE-94, refers to a weakness where the plugin improperly handles the generation of code. Because the software fails to sanitize inputs correctly, an attacker can trick the system into including and executing arbitrary instructions that were not intended to be run, effectively allowing them to inject their own logic into the server's processes.

How is this vulnerability triggered?

The issue is triggered when an attacker sends a specially crafted network request to a site running the affected plugin. The flaw exists within the plugin's code generation feature. Crucially, the vulnerability does not require the attacker to have an existing user account or any prior authentication to successfully execute the malicious code on the server.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because the plugin is typically used to support functionality on public-facing websites. Since the code path is reachable over the network, any WordPress instance with this plugin that is accessible from the internet is considered a potential target for remote interaction.

How should I respond to this threat?

Your first step is to perform an inventory of all WordPress sites to identify where the ACPT Pro plugin is currently installed. Once identified, evaluate which of those sites are reachable from the internet. If you find affected instances, verify if the current version is within the vulnerable range and coordinate with your team to plan for vendor updates or necessary mitigation steps.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished