Description
Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor poeditor allows Path Traversal.This issue affects POEditor: from n/a through <= 0.9.10.
Published: 2025-06-06
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a cross‑site request forgery that allows an attacker to cause the victim’s browser to send a request to delete files on the server using path traversal. The attack can wipe configuration files, database backups, or other critical data, leading to loss of availability and potential data loss. The flaw is classified as CWE‑352, a weakness that exploits improper validation of user‑controlled requests.

Affected Systems

The PoEditor WordPress plugin, versions from the original release up to and including 0.9.10, is affected. Users running any older revision of the plugin on a WordPress installation are vulnerable.

Risk and Exploitability

The CVSS score of 7.4 indicates a high impact if exploited. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low at present. The vulnerability is not listed in CISA’s KEV catalog. Attacks would typically require a victim who is logged into the WordPress site to click a crafted link or load a malicious page that tricks the browser into issuing the deletion request. No network‑level access is required, so the risk is largely contingent on user interaction.

Generated by OpenCVE AI on April 30, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PoEditor plugin to the latest version (0.9.11 or newer).
  • Remove or disable the PoEditor plugin if it is not needed; if kept, restrict the delete functionality to administrators only.
  • Add a firewall or WAF rule to deny or log DELETE requests to the plugin’s file‑deletion endpoint when not coming from trusted sources.

Generated by OpenCVE AI on April 30, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17296 Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10. Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor poeditor allows Path Traversal.This issue affects POEditor: from n/a through <= 0.9.10.
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H'}

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.
Title WordPress POEditor plugin <= 0.9.10 - CSRF to Arbitrary File Deletion vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.960Z

Reserved: 2025-06-04T09:40:52.585Z

Link: CVE-2025-49237

cve-icon Vulnrichment

Updated: 2025-06-06T15:41:07.761Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:41.017

Modified: 2026-04-23T15:31:17.930

Link: CVE-2025-49237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:15:36Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)