Stored Cross-Site Scripting Vulnerability in Custom Post Type UI Plugin for WordPress
CVE-2025-14056

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Custom Post Type Ui
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-14056?

The Custom Post Type UI plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping in the 'label' parameter during custom post type imports. This flaw allows authenticated attackers with Administrator privileges to insert malicious scripts. These scripts can execute on the Tools → Get Code page, potentially compromising users that access this functionality. Users should ensure they are running the patched version of the plugin to mitigate the risk associated with this vulnerability.

Affected Version(s)

Custom Post Type UI * <= 1.18.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/custom-post-ty...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Dec 4, 2025

Credit

M Indra Purnama

JSON