CVE-2025-23530

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Lockdown custom-post-type-lockdown allows Privilege Escalation.This issue affects Custom Post Type Lockdown: from n/a through <= 1.11.

Security Summary

CVE-2025-23530 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the yonisink Custom Post Type Lockdown WordPress plugin (custom-post-type-lockdown). The flaw enables privilege escalation and affects the plugin from unknown initial versions through version 1.11 inclusive.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers with low complexity, requiring only user interaction such as clicking a malicious link or submitting a forged request. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, specifically through privilege escalation on the targeted WordPress site.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/custom-post-type-lockdown/vulnerability/wordpress-custom-post-type-lockdown-plugin-1-11-csrf-to-privilege-escalation-vulnerability?_s_id=cve) documents this CSRF-to-privilege-escalation issue in Custom Post Type Lockdown version 1.11.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/custom-post-type-lockdown/vulnerability/wordpress-custom-post-type-lockdown-plugin-1-11-csrf-to-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com