{"id":8632,"date":"2026-06-17T11:23:32","date_gmt":"2026-06-17T11:23:32","guid":{"rendered":"https:\/\/locaterisk.com\/de\/?p=8632"},"modified":"2026-06-17T14:43:47","modified_gmt":"2026-06-17T14:43:47","slug":"cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/","title":{"rendered":"CVE-2026-25470: Critical Vulnerability in the WordPress Plugin ACPT (CVSS 10.0)"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">CVE-2026-25470: Critical Vulnerability in the WordPress Plugin ACPT (CVSS 10.0)<\/h1>\r\n            <p class=\"paragraph\"><br>On June 16, 2026, a critical vulnerability was discovered in the WordPress plugin \u201eACPT (Pro) \u2013 Custom Post Types\u201c with the identifier <strong>CVE-2026-25470<\/strong> (not yet listed in the NVD catalog at the time of publication) was disclosed. The vulnerability has been assigned the highest possible CVSS score of <strong>10.0<\/strong> is rated and allows attackers to execute arbitrary code without authentication (Remote Code Execution, RCE). All plugin versions up to and including <strong>2.0.47<\/strong> are affected, which poses a significant security risk to the operators of the affected websites.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png\" alt=\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)\" class=\"wp-image-8634\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png 400w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured-300x300.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured-150x150.png 150w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured-12x12.png 12w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Analysis of the Vulnerability<\/strong><\/h2>\n\n\n\n<p>The vulnerability is classified as <strong>CWE-94 (Improper Control of Code Generation)<\/strong>, also known as code injection. It allows a remote, unauthenticated attacker to inject and execute their own program code directly into the web server's context. This enables the attacker to take complete control of the WordPress instance. The full technical description is available in the <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-post-type\/vulnerability\/wordpress-acpt-pro-custom-post-types-plugin-for-wordpress-plugin-2-0-47-remote-code-execution-rce-vulnerability?_s_id=cve\" target=\"_blank\" rel=\"noreferrer noopener\">Patchstack Advisory<\/a> available for viewing.<\/p>\n\n\n\n<p>The CVSS score <strong>CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H<\/strong> describes the critical nature of the problem. The most important parameters are explained below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AV:N (Attack Vector: Network):<\/strong> The attack can be carried out over the Internet.<\/li>\n\n\n\n<li><strong>AC:L (Attack Complexity: Low):<\/strong> No complex preparations are necessary for a successful attack.<\/li>\n\n\n\n<li><strong>PR:N (Privileges Required: None):<\/strong> The attacker does not need any login credentials or existing permissions.<\/li>\n\n\n\n<li><strong>UI:N (User Interaction: None):<\/strong> An attack does not require any user interaction.<\/li>\n\n\n\n<li><strong>S:C (Scope: Changed):<\/strong> The attacker can use the WordPress plugin to compromise additional resources on the underlying web server or operating system.<\/li>\n<\/ul>\n\n\n\n<p>The discovery is attributed to security researcher Jarno Vos, who submitted the report through Patchstack's bug bounty program.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Impact on Corporate Security and Compliance<\/strong><\/h2>\n\n\n\n<p>A successful exploit of CVE-2026-25470 could lead to the compromise of the entire website. Possible consequences include the theft of sensitive data from the database (e.g., customer data), the distribution of malware, or the website being incorporated into a botnet. Such incidents pose not only a technical risk but also a compliance risk. Under regulations such as <strong>NIS-2<\/strong> or certifications in accordance with <strong>ISO 27001<\/strong> Organizations are required to implement effective vulnerability management and respond promptly to critical threats.<\/p>\n\n\n\n<p>For organizations in Germany, Austria, and Switzerland, this also gives rise to specific legal obligations: If exploitation of this vulnerability results in a data breach involving personal data, the <strong>GDPR Reporting Obligation under Article 33<\/strong>: Those responsible must report the incident within <strong>72 hours<\/strong> report to the competent data protection authority. Operators of essential or important facilities as defined in the <strong>NIS-2 Directive<\/strong> are also required to report significant security incidents immediately and to have appropriate protective measures in place. The BSI generally recommends immediately disabling unpatched plugins with a critical CVSS score until an official patch from the vendor is available.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recommended Immediate Actions<\/strong><\/h2>\n\n\n\n<p>As of the date of publication on June 16, 2026, the situation was as follows: <strong>no official security patch<\/strong> from the plugin vendor. There is currently no patched version of the ACPT plugin; as soon as a corrected version is released, an immediate update will be required. Site administrators are therefore strongly advised to implement the following measure:<\/p>\n\n\n\n<p><strong>Primary Recommendation: Disable the plugin<\/strong> The safest way to minimize risk is to immediately deactivate and uninstall the ACPT plugin on all WordPress systems. This will completely remove the vulnerable component from the system environment.<\/p>\n\n\n\n<p>For customers of the security service provider Patchstack, a virtual patch (vPatch) is available\u2014if provided by Patchstack for this CVE\u2014that can block the attack attempt at the Web Application Firewall (WAF) level. However, this should only be considered a temporary workaround until an officially patched version of the plugin is released.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Achieve Transparency of the Attack Surface with LocateRisk<\/strong><\/h2>\n\n\n\n<p>Vulnerabilities such as CVE-2026-25470 highlight how quickly a single unpatched component can become a security vulnerability for an entire digital infrastructure, especially when WordPress installations in an enterprise environment have grown over time and are no longer fully inventoried.<\/p>\n\n\n\n<p>The <strong>External Attack Surface Management (EASM)<\/strong>The LocateRisk platform automates the continuous discovery and assessment of all externally accessible IT systems. It identifies publicly accessible WordPress installations, including those that have been forgotten over time or are operated by external agencies without central documentation, and uses fingerprinting methods to detect plugins such as ACPT. This provides IT security teams with a quick and accurate overview of which systems are affected by a critical vulnerability before a security incident occurs.<\/p>\n\n\n\n<p>LocateRisk serves as a digital early-warning system: Instead of having to manually check dozens of instances, CISOs and IT teams can see at a glance which specific systems are affected by CVE-2026-25470 and can take countermeasures before attackers exploit the vulnerability.<\/p>\n\n\n\n<p>If external service providers or agencies manage WordPress installations on behalf of your company, this creates an additional vendor risk: The security of your digital presence then also depends on third-party patch management. With <strong>Continuous Vendor Risk Management (C-VRM)<\/strong> LocateRisk supports the automated security assessment of such service providers and provides transparency regarding risks in the digital supply chain. The LocateRisk platform is operated in German data centers and helps organizations meet their GDPR requirements.<\/p>\n\n\n\n<p><br><br>Sources and further information<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sources and further information<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Patchstack (Primary Source):<\/strong> <a href=\"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-post-type\/vulnerability\/wordpress-acpt-pro-custom-post-types-plugin-for-wordpress-plugin-2-0-47-remote-code-execution-rce-vulnerability?_s_id=cve\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress ACPT (Pro) Plugin 2.0.47 \u2013 Remote Code Execution (RCE) Vulnerability<\/a><\/li>\n\n\n\n<li><strong>Wordfence Threat Intelligence:<\/strong> <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-post-type\/acpt-pro-custom-post-types-plugin-for-wordpress-2047-unauthenticated-remote-code-execution\" target=\"_blank\" rel=\"noreferrer noopener\">ACPT (Pro) &lt;= 2.0.47 - Unauthenticated Remote Code Execution<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Do you know your external attack surface?<\/strong><\/h2>\n\n\n\n<p>LocateRisk continuously and automatically identifies your external IT systems and assesses their security level. Gain clarity on your exposed assets.<\/p>\n\n\n\n<p><a href=\"https:\/\/locaterisk.com\/en\/demo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request a free safety check<\/a><\/p>\n\n\n\n<div class=\"wp-block-lr-faq-module\"><div class=\"content\"><h3><strong>Frequently asked questions<\/strong><\/h3><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>What is CVE-2026-25470?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">CVE-2026-25470 is a critical vulnerability (CVSS 10.0) in the WordPress plugin \u201eACPT (Pro) \u2013 Custom Post Types,\u201c classified as CWE-94 (Code Injection). It allows attackers to inject malicious code over the network to gain complete control over the web server (scope escalation). The vulnerability was publicly disclosed on June 16, 2026, through the Patchstack Bug Bounty Program.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Which versions of the ACPT plugin are affected, and is there already a patch available?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">All versions of the plugin up to and including <strong>2.0.47<\/strong> are affected by the vulnerability. As of the date of publication (June 16, 2026), <strong>not an official patch<\/strong> from the manufacturer. It is recommended that you immediately deactivate and uninstall the plugin until a corrected version is available.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>How can site owners protect their WordPress installation if no patch is available?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">The primary recommendation is to immediately disable and uninstall the ACPT plugin. Patchstack customers can enable temporary protection at the WAF level, provided that a corresponding virtual patch (vPatch) has been released for this CVE. However, this does not replace the official vendor patch and should only be used as a temporary measure.<\/p><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2><br>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"Ihre Registrierung war erfolgreich Ihre Anfrage wurde erfolgreich versendet. Wir haben Ihnen soeben eine Best\u00e4tigungsmail mit einem Aktivierungs-Link zugesendet, um einem Missbrauch Ihrer E-Mail Adresse durch Dritte vorzubeugen. Die Mail wird von sales@locaterisk.com versendet und sollte sich i n wenigen Minuten in Ihrem Posteingang finden.\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"Da ist wohl etwas schief gelaufen. Bitte probieren Sie es erneut oder nehmen Sie direkt mit uns Kontakt auf\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p>I agree with the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\">privacy policy.<\/a> agree<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\"> Request a Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/sec-information.pdf\">Security<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Analysis of the critical remote code execution vulnerability CVE-2026-25470 (CVSS 10.0) in the WordPress plugin ACPT. Versions up to 2.0.47 are affected. Immediate action is required.<\/p>","protected":false},"author":13,"featured_media":8634,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[665,667,664,316,92,492,113,115,199,666],"class_list":["post-8632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogpost","tag-acpt-wordpress-plugin","tag-code-injection","tag-cve-2026-25470","tag-cvss-10-0","tag-easm","tag-patchstack","tag-rce","tag-schwachstelle","tag-vrm","tag-wordpress-sicherheit"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0) - LocateRisk<\/title>\n<meta name=\"description\" content=\"Analyse der kritischen Remote-Code-Execution-Schwachstelle CVE-2026-25470 (CVSS 10.0) im WordPress-Plugin ACPT. Betroffen sind Versionen bis 2.0.47. Sofortma\u00dfnahmen sind erforderlich.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0) - LocateRisk\" \/>\n<meta property=\"og:description\" content=\"Analyse der kritischen Remote-Code-Execution-Schwachstelle CVE-2026-25470 (CVSS 10.0) im WordPress-Plugin ACPT. Betroffen sind Versionen bis 2.0.47. Sofortma\u00dfnahmen sind erforderlich.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-17T11:23:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-17T14:43:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kristina Hoinkis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kristina Hoinkis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/\"},\"author\":{\"name\":\"Kristina Hoinkis\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\"},\"headline\":\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)\",\"datePublished\":\"2026-06-17T11:23:32+00:00\",\"dateModified\":\"2026-06-17T14:43:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/\"},\"wordCount\":761,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/cve-2026-25470-vulnerability-disclosure-featured.png\",\"keywords\":[\"ACPT WordPress Plugin\",\"Code Injection\",\"CVE-2026-25470\",\"CVSS 10.0\",\"EASM\",\"Patchstack\",\"RCE\",\"Schwachstelle\",\"VRM\",\"WordPress Sicherheit\"],\"articleSection\":[\"Blog post\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/\",\"name\":\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0) - LocateRisk\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/cve-2026-25470-vulnerability-disclosure-featured.png\",\"datePublished\":\"2026-06-17T11:23:32+00:00\",\"dateModified\":\"2026-06-17T14:43:47+00:00\",\"description\":\"Analyse der kritischen Remote-Code-Execution-Schwachstelle CVE-2026-25470 (CVSS 10.0) im WordPress-Plugin ACPT. Betroffen sind Versionen bis 2.0.47. Sofortma\u00dfnahmen sind erforderlich.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/cve-2026-25470-vulnerability-disclosure-featured.png\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/cve-2026-25470-vulnerability-disclosure-featured.png\",\"width\":400,\"height\":400,\"caption\":\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\",\"name\":\"Kristina Hoinkis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"caption\":\"Kristina Hoinkis\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2026-25470: Critical Vulnerability in the WordPress Plugin ACPT (CVSS 10.0) - LocateRisk","description":"Analysis of the critical remote code execution vulnerability CVE-2026-25470 (CVSS 10.0) in the WordPress plugin ACPT. Versions up to 2.0.47 are affected. Immediate action is required.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0) - LocateRisk","og_description":"Analyse der kritischen Remote-Code-Execution-Schwachstelle CVE-2026-25470 (CVSS 10.0) im WordPress-Plugin ACPT. Betroffen sind Versionen bis 2.0.47. Sofortma\u00dfnahmen sind erforderlich.","og_url":"https:\/\/locaterisk.com\/en\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/","og_site_name":"LocateRisk","article_published_time":"2026-06-17T11:23:32+00:00","article_modified_time":"2026-06-17T14:43:47+00:00","og_image":[{"width":400,"height":400,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png","type":"image\/png"}],"author":"Kristina Hoinkis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kristina Hoinkis","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/"},"author":{"name":"Kristina Hoinkis","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32"},"headline":"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)","datePublished":"2026-06-17T11:23:32+00:00","dateModified":"2026-06-17T14:43:47+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/"},"wordCount":761,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png","keywords":["ACPT WordPress Plugin","Code Injection","CVE-2026-25470","CVSS 10.0","EASM","Patchstack","RCE","Schwachstelle","VRM","WordPress Sicherheit"],"articleSection":["Blog post"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/","url":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/","name":"CVE-2026-25470: Critical Vulnerability in the WordPress Plugin ACPT (CVSS 10.0) - LocateRisk","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png","datePublished":"2026-06-17T11:23:32+00:00","dateModified":"2026-06-17T14:43:47+00:00","description":"Analysis of the critical remote code execution vulnerability CVE-2026-25470 (CVSS 10.0) in the WordPress plugin ACPT. Versions up to 2.0.47 are affected. Immediate action is required.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/06\/cve-2026-25470-vulnerability-disclosure-featured.png","width":400,"height":400,"caption":"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)"},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/de\/cve-2026-25470-kritische-schwachstelle-wordpress-plugin-acpt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"CVE-2026-25470: Kritische Schwachstelle in WordPress-Plugin ACPT (CVSS 10.0)"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32","name":"Kristina Hoinkis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","caption":"Kristina Hoinkis"}}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/8632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=8632"}],"version-history":[{"count":2,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/8632\/revisions"}],"predecessor-version":[{"id":8635,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/8632\/revisions\/8635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/8634"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=8632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=8632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=8632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}