The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 18 Oct 2025 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
Title | Theme Editor <= 3.0 - Cross-Site Request Forgery to Remote Code Execution | |
Weaknesses | CWE-352 | |
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-10-18T08:25:35.623Z
Reserved: 2025-09-02T22:46:48.863Z
Link: CVE-2025-9890

No data.

Status : Received
Published: 2025-10-18T09:15:34.687
Modified: 2025-10-18T09:15:34.687
Link: CVE-2025-9890

No data.

No data.