CVE-2026-25470: Critical Vulnerability in the WordPress Plugin ACPT (CVSS 10.0)

On June 16, 2026, a critical vulnerability was discovered in the WordPress plugin „ACPT (Pro) – Custom Post Types“ with the identifier CVE-2026-25470 (not yet listed in the NVD catalog at the time of publication) was disclosed. The vulnerability has been assigned the highest possible CVSS score of 10.0 is rated and allows attackers to execute arbitrary code without authentication (Remote Code Execution, RCE). All plugin versions up to and including 2.0.47 are affected, which poses a significant security risk to the operators of the affected websites.

Technical Analysis of the Vulnerability

The vulnerability is classified as CWE-94 (Improper Control of Code Generation), also known as code injection. It allows a remote, unauthenticated attacker to inject and execute their own program code directly into the web server's context. This enables the attacker to take complete control of the WordPress instance. The full technical description is available in the Patchstack Advisory available for viewing.

The CVSS score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H describes the critical nature of the problem. The most important parameters are explained below:

AV:N (Attack Vector: Network): The attack can be carried out over the Internet.
AC:L (Attack Complexity: Low): No complex preparations are necessary for a successful attack.
PR:N (Privileges Required: None): The attacker does not need any login credentials or existing permissions.
UI:N (User Interaction: None): An attack does not require any user interaction.
S:C (Scope: Changed): The attacker can use the WordPress plugin to compromise additional resources on the underlying web server or operating system.

The discovery is attributed to security researcher Jarno Vos, who submitted the report through Patchstack's bug bounty program.

Impact on Corporate Security and Compliance

A successful exploit of CVE-2026-25470 could lead to the compromise of the entire website. Possible consequences include the theft of sensitive data from the database (e.g., customer data), the distribution of malware, or the website being incorporated into a botnet. Such incidents pose not only a technical risk but also a compliance risk. Under regulations such as NIS-2 or certifications in accordance with ISO 27001 Organizations are required to implement effective vulnerability management and respond promptly to critical threats.

For organizations in Germany, Austria, and Switzerland, this also gives rise to specific legal obligations: If exploitation of this vulnerability results in a data breach involving personal data, the GDPR Reporting Obligation under Article 33: Those responsible must report the incident within 72 hours report to the competent data protection authority. Operators of essential or important facilities as defined in the NIS-2 Directive are also required to report significant security incidents immediately and to have appropriate protective measures in place. The BSI generally recommends immediately disabling unpatched plugins with a critical CVSS score until an official patch from the vendor is available.

Recommended Immediate Actions

As of the date of publication on June 16, 2026, the situation was as follows: no official security patch from the plugin vendor. There is currently no patched version of the ACPT plugin; as soon as a corrected version is released, an immediate update will be required. Site administrators are therefore strongly advised to implement the following measure:

Primary Recommendation: Disable the plugin The safest way to minimize risk is to immediately deactivate and uninstall the ACPT plugin on all WordPress systems. This will completely remove the vulnerable component from the system environment.

For customers of the security service provider Patchstack, a virtual patch (vPatch) is available—if provided by Patchstack for this CVE—that can block the attack attempt at the Web Application Firewall (WAF) level. However, this should only be considered a temporary workaround until an officially patched version of the plugin is released.

Achieve Transparency of the Attack Surface with LocateRisk

Vulnerabilities such as CVE-2026-25470 highlight how quickly a single unpatched component can become a security vulnerability for an entire digital infrastructure, especially when WordPress installations in an enterprise environment have grown over time and are no longer fully inventoried.

The External Attack Surface Management (EASM)The LocateRisk platform automates the continuous discovery and assessment of all externally accessible IT systems. It identifies publicly accessible WordPress installations, including those that have been forgotten over time or are operated by external agencies without central documentation, and uses fingerprinting methods to detect plugins such as ACPT. This provides IT security teams with a quick and accurate overview of which systems are affected by a critical vulnerability before a security incident occurs.

LocateRisk serves as a digital early-warning system: Instead of having to manually check dozens of instances, CISOs and IT teams can see at a glance which specific systems are affected by CVE-2026-25470 and can take countermeasures before attackers exploit the vulnerability.

If external service providers or agencies manage WordPress installations on behalf of your company, this creates an additional vendor risk: The security of your digital presence then also depends on third-party patch management. With Continuous Vendor Risk Management (C-VRM) LocateRisk supports the automated security assessment of such service providers and provides transparency regarding risks in the digital supply chain. The LocateRisk platform is operated in German data centers and helps organizations meet their GDPR requirements.

Sources and further information

Patchstack (Primary Source): WordPress ACPT (Pro) Plugin 2.0.47 – Remote Code Execution (RCE) Vulnerability
Wordfence Threat Intelligence: ACPT (Pro) <= 2.0.47 - Unauthenticated Remote Code Execution

Do you know your external attack surface?

LocateRisk continuously and automatically identifies your external IT systems and assesses their security level. Gain clarity on your exposed assets.

Request a free safety check

Frequently asked questions

What is CVE-2026-25470?

CVE-2026-25470 is a critical vulnerability (CVSS 10.0) in the WordPress plugin „ACPT (Pro) – Custom Post Types,“ classified as CWE-94 (Code Injection). It allows attackers to inject malicious code over the network to gain complete control over the web server (scope escalation). The vulnerability was publicly disclosed on June 16, 2026, through the Patchstack Bug Bounty Program.

Which versions of the ACPT plugin are affected, and is there already a patch available?

All versions of the plugin up to and including 2.0.47 are affected by the vulnerability. As of the date of publication (June 16, 2026), not an official patch from the manufacturer. It is recommended that you immediately deactivate and uninstall the plugin until a corrected version is available.

How can site owners protect their WordPress installation if no patch is available?

The primary recommendation is to immediately disable and uninstall the ACPT plugin. Patchstack customers can enable temporary protection at the WAF level, provided that a corresponding virtual patch (vPatch) has been released for this CVE. However, this does not replace the official vendor patch and should only be used as a temporary measure.

Request your personal Live-Demo now

Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.

Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!

Your personal consultantLukas BaumannCEO

+49 6151 6290246

Get in Touch Now