The Ace Post Type Builder plugin for WordPress, developed by buywptemplates, suffers from a missing authorization vulnerability identified as CVE-2025-13405. This vulnerability arises from the lack of proper authorization checks in the cptb_delete_custom_taxonomy() function, which is responsible for deleting custom taxonomies within the plugin. Custom taxonomies are essential for organizing content in WordPress, and unauthorized deletion can disrupt website structure and content categorization. The vulnerability affects all versions up to and including 1.9. An attacker with at least Subscriber-level privileges—meaning any authenticated user with minimal permissions—can exploit this flaw to delete arbitrary custom taxonomies without further authorization or user interaction. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed. The impact is limited to integrity as confidentiality and availability are not directly affected. No public exploits have been reported yet, and no patches are currently linked, indicating that mitigation may rely on vendor updates or manual access control measures. This vulnerability highlights the risk of insufficient authorization checks in WordPress plugins, especially those managing content structures.

The primary impact of this vulnerability is on the integrity of WordPress sites using the Ace Post Type Builder plugin. Unauthorized deletion of custom taxonomies can lead to loss or misclassification of content, disrupting website navigation, SEO, and user experience. For organizations relying heavily on custom taxonomies for content management, this could result in significant operational disruption and increased administrative overhead to restore or recreate taxonomies. Although the vulnerability does not directly affect confidentiality or availability, the integrity compromise could indirectly affect business reputation and trust. Since exploitation requires only Subscriber-level access, any compromised or malicious user account could trigger the attack, increasing the risk in environments with many registered users or weak account controls. The lack of known exploits suggests limited current threat activity, but the ease of exploitation and broad impact potential warrant proactive mitigation.

Organizations should immediately review user roles and permissions to ensure that Subscriber-level accounts are tightly controlled and monitored. Restricting plugin access or disabling the Ace Post Type Builder plugin until a patch is available is advisable. If possible, implement web application firewall (WAF) rules to detect and block requests attempting to invoke the cptb_delete_custom_taxonomy() function. Regularly audit custom taxonomies and maintain backups to enable quick restoration if unauthorized deletions occur. Engage with the plugin vendor or community to obtain or develop patches addressing the missing authorization checks. Additionally, consider employing WordPress security plugins that can enforce granular access controls and monitor for suspicious activity related to taxonomy management. Educate site administrators about the risk and encourage prompt updates once a fix is released.