CVE-2025-13405: Ace Post Type Builder Plugin Vulnerability Allows Subscriber-Level Taxonomy Deletion

Overview

CVE-2025-13405 is a medium-severity vulnerability affecting the Ace Post Type Builder plugin for WordPress. This vulnerability allows authenticated attackers with even Subscriber-level access to delete arbitrary custom taxonomies due to missing authorization validation in the cptb_delete_custom_taxonomy() function. All versions up to, and including, 1.9 are affected. This poses a significant risk to website integrity and data management.

Technical Details

The vulnerability resides in the cptb_delete_custom_taxonomy() function within the plugin’s core files. The function lacks proper authorization checks, meaning that any authenticated user, regardless of their role, can trigger the deletion of custom taxonomies by sending a specially crafted request. The absence of capability checks allows subscribers to bypass intended access controls and potentially disrupt website functionality. Specifically, the vulnerable code can be found at line 400 of `includes/class-cptb-core.php` in versions up to and including 1.9.

CVSS Analysis

• CVSS Score: 5.3 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• Explanation: This CVSS score reflects the fact that the vulnerability requires authentication, but can be exploited over the network without user interaction, and results in a loss of integrity (ability to modify website data). While it doesn’t directly compromise confidentiality or availability, the ability to delete taxonomies can disrupt website function and potentially require restoration from backups.

Possible Impact

Successful exploitation of this vulnerability could lead to:

• Data Loss: Deletion of custom taxonomies can lead to loss of associated data and content organization.
• Website Disruption: Removing taxonomies can break website functionality, causing errors and rendering content inaccessible.
• SEO Impact: Loss of taxonomies can negatively impact search engine optimization efforts.
• Data Integrity Issues: The deletion of taxonomy information can leave the website in an inconsistent state.

Mitigation and Patch Steps

To mitigate this vulnerability, immediate action is required:

1. Update the Plugin: Check for updates to the Ace Post Type Builder plugin. If a patched version is available (later than 1.9), update immediately.
2. Disable the Plugin: If an update is not yet available, temporarily disable the Ace Post Type Builder plugin until a patch is released.
3. Implement Web Application Firewall (WAF) Rules: Consider using a WAF to block requests targeting the cptb_delete_custom_taxonomy() function, although this is a less ideal solution compared to patching.
4. Monitor Website Activity: Closely monitor your WordPress website for any suspicious activity, such as unexpected taxonomy deletions.

References

• Ace Post Type Builder v1.9 – Vulnerable Code (plugins.trac.wordpress.org)
• Ace Post Type Builder Trunk – Vulnerable Code (plugins.trac.wordpress.org)
• Wordfence Threat Intelligence – CVE-2025-13405 (wordfence.com)