CVE-2025-1510

CVE-2025-1510 is an arbitrary shortcode execution vulnerability in the Custom Post Type Date Archives plugin for WordPress, affecting all versions up to and including 2.7.1. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling attackers to inject and run arbitrary shortcodes. It is classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation allows execution of arbitrary shortcodes on the target WordPress site, potentially compromising confidentiality, integrity, and availability to a low degree depending on the shortcodes used and site configuration.

Mitigation details and further advisories are available from sources including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/996ade9c-2531-4f43-87f6-eddb2ce98a12?source=cve and the plugin page at https://wordpress.org/plugins/custom-post-type-date-archives/. Security practitioners should check for plugin updates and review these resources for patching guidance.