CVE-2026-3772
Cross-Site Request Forgery in WP Editor Plugin
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_editor | wp_editor | to 1.2.9.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Editor plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 1.2.9.2. This vulnerability exists because the plugin's 'add_plugins_page' and 'add_themes_page' functions lack nonce verification, which is a security measure to confirm the legitimacy of requests.
Due to this missing verification, an attacker can trick a site administrator into performing an action unknowingly, such as clicking a malicious link. This allows the attacker to overwrite arbitrary plugin and theme PHP files with their own malicious code.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an unauthenticated attacker to execute arbitrary code on your WordPress site by overwriting plugin and theme files.
- Compromise of site integrity and security.
- Potential full site takeover by attackers.
- Loss of data confidentiality, integrity, and availability.
- Possible defacement or malicious content injection.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WP Editor plugin for WordPress versions up to and including 1.2.9.2, due to missing nonce verification allowing Cross-Site Request Forgery (CSRF). Detection involves identifying if the vulnerable plugin version is installed and checking for unauthorized modifications to plugin or theme PHP files.
To detect the presence of the vulnerable WP Editor plugin version, you can check the installed plugin version via WordPress CLI:
- wp plugin list | grep wp-editor
If the version is 1.2.9.2 or earlier, the site is vulnerable. To detect potential exploitation, you can look for unexpected changes in plugin or theme PHP files. For example, using git or file integrity monitoring tools to detect recent changes.
You can also search web server logs for suspicious POST requests to the plugin's add_plugins_page or add_themes_page endpoints that might indicate CSRF attempts.
Example commands to check for modified PHP files in the plugin or theme directories (assuming standard WordPress paths):
- find wp-content/plugins/wp-editor -name '*.php' -exec stat -c '%y %n' {} + | sort -r
- find wp-content/themes -name '*.php' -exec stat -c '%y %n' {} + | sort -r
Additionally, monitoring for unexpected admin actions or unusual user activity might help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WP Editor plugin to a version later than 1.2.9.2 where the nonce verification issue is fixed.
Additionally, avoid clicking on suspicious links that could trigger forged requests, especially if you have administrative privileges on the WordPress site.