A critical remote code execution vulnerability in the ACPT (Pro) WordPress plugin allows unauthenticated attackers to gain complete control over the host server.

This flaw (CWE-94) arises from improper control of code generation, which permits an unauthenticated remote attacker to inject and execute malicious PHP code within the WordPress environment. The vulnerability effectively bypasses all authentication mechanisms, granting full system access to an attacker.

Successful exploitation of this vulnerability results in a total compromise of the affected WordPress instance, leading to data exfiltration, unauthorized administrative access, and potential lateral movement into the hosting infrastructure. Given the CVSS score of 10.0, this represents the highest level of risk to operational integrity and data confidentiality.

Immediate Action: As of June 16, 2026, no official patch is available; administrators should immediately disable or uninstall the ACPT (Pro) plugin until a secure version is released.

Proactive Monitoring: Review web server access logs for suspicious POST requests or attempts to access configuration files that deviate from standard user traffic patterns.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common code injection patterns and attempts to access sensitive plugin directories.

Public Exploit Available: false

Due to the critical severity of this vulnerability and the lack of an immediate patch, the risk of total system compromise is extreme. Organizations utilizing this plugin must prioritize its removal or isolation from the public-facing network until the vendor provides a remediation path.