WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability

Vulnerability

A code injection vulnerability exists in the ACPT (Pro) - Custom Post Types Plugin for WordPress, affecting versions from n/a through 2.0.47 [1]. The plugin fails to properly control the generation of code, allowing an attacker to inject and execute arbitrary PHP code on the server. The vulnerability is reachable without any special configuration or authentication [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring any authentication or user interaction. The code injection is likely triggered via malicious input to a plugin parameter or endpoint, as the vulnerability is categorized as a code injection and remote code inclusion [1]. The attack does not require a privileged network position, as it is accessible over the web to any unauthenticated visitor [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the target WordPress server [1]. This can lead to full compromise of the website, including gaining backdoor access, data theft, site defacement, and potential lateral movement within the hosting environment [1]. The vulnerability is rated as critical and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The official advisory recommends immediately updating the plugin to a patched version beyond 2.0.47 [1]. No workaround is described. Since this vulnerability is listed as expected to become exploited, users unable to update should contact their hosting provider or web developer for assistance [1]. No fix version or patch release date is provided in the available references [1].