Description
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Editor plugin for WordPress fails to verify nonces in the functions that render the plugin and theme file editor pages. This missing protection enables a Cross‑Site Request Forgery (CSRF) attack in which an unauthenticated attacker can forge a request that an administrator will inadvertently execute. By doing so the attacker can overwrite any PHP file in the plugin or theme directories with attacker‑controlled code, leading to full remote code execution on the site. The vulnerability is indexed as CWE‑352.

Affected Systems

The vulnerability affects the WP Editor plugin for WordPress from vendor benjaminprojas, in all released builds up to and including version 1.2.9.2. Any WordPress site that has this plugin installed at a vulnerable version is susceptible.

Risk and Exploitability

The assigned CVSS score of 8.8 indicates a high severity issue. EPSS is not available and the vulnerability is not currently listed in CISA’s KEV catalog, but the exploitation potential is significant because remote code execution is possible. The attack requires the attacker to convince an administrator to perform an action such as clicking a link, so social engineering is a prerequisite. Once the admin action succeeds, the attacker can exfiltrate data, deface the site, or pivot to other assets.

Generated by OpenCVE AI on May 1, 2026 at 23:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Editor plugin to the latest available version that includes a nonce verification for the file editor interfaces.
  • If an upgrade cannot be performed immediately, disable the plugin’s file editor support by adding define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php or removing the plugin until a fix is applied.
  • Continuously monitor the plugins and themes directories for unexpected changes or new PHP files, and employ file integrity monitoring to detect unauthorized modifications.

Generated by OpenCVE AI on May 1, 2026 at 23:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Benjaminrojas
Benjaminrojas wp Editor
Wordpress
Wordpress wordpress
Vendors & Products Benjaminrojas
Benjaminrojas wp Editor
Wordpress
Wordpress wordpress

Fri, 01 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title WP Editor <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Benjaminrojas Wp Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-01T16:35:20.995Z

Reserved: 2026-03-07T21:10:44.307Z

Link: CVE-2026-3772

cve-icon Vulnrichment

Updated: 2026-05-01T16:35:17.233Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T12:16:16.713

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-3772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses