Description
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Theme Editor plugin for WordPress contains a cross‑site request forgery flaw that lets an attacker inject arbitrary code. Once the malicious payload is executed, the attacker gains remote code execution privileges on the affected WordPress site, enabling full compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw exists in all releases of the Theme Editor plugin by mndpsingh287 up to and including version 3.2. Any WordPress installation that has the plugin installed and older than this release is affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.6, indicating a critical level of severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and it has not been listed in the CISA KEV catalog. The attack vector is most likely through a CSRF request made by a logged‑in administrator or other privileged user; the attacker would need to persuade the victim to visit a crafted URL or submit a crafted form while authenticated. The absence of an immediate patch notice means site owners should treat the issue as serious and remediate promptly.

Generated by OpenCVE AI on April 14, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Theme Editor to a version newer than 3.2 if one is available
  • If an upgrade is not immediately possible, disable or remove the plugin from the site
  • Verify that other installed plugins or themes are free of similar vulnerabilities
  • Monitor site logs for unexpected code modifications and suspicious activity

Generated by OpenCVE AI on April 14, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mndpsingh287
Mndpsingh287 theme Editor
Wordpress
Wordpress wordpress
Vendors & Products Mndpsingh287
Mndpsingh287 theme Editor
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Title WordPress Theme Editor plugin <= 3.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution vulnerability
Weaknesses CWE-352
References

Subscriptions

Mndpsingh287 Theme Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-14T14:22:14.760Z

Reserved: 2026-04-07T10:57:43.491Z

Link: CVE-2026-39640

cve-icon Vulnrichment

Updated: 2026-04-14T14:20:51.847Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:34.803

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:30Z

Weaknesses