CVE-2025-14056

Name of the Vulnerable Software and Affected Versions Custom Post Type UI plugin for WordPress versions prior to 1.18.2

Description The Custom Post Type UI plugin for WordPress has a flaw that allows an attacker with Administrator-level access to inject malicious web scripts. This is possible through the label parameter during the import of custom post types, because the plugin does not properly sanitize or escape user-provided input. An attacker can inject arbitrary web scripts that will execute when any user accesses the Tools → Get Code page.

Recommendations Update the Custom Post Type UI plugin to version 1.18.2 or later.