CVE-2026-3772

Name of the Vulnerable Software and Affected Versions WP Editor versions prior to 1.2.9.3

Description The WP Editor plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs because the add plugins page() and add themes page() functions lack nonce verification (a unique token used to prevent replay attacks). Consequently, unauthenticated attackers can overwrite arbitrary plugin and theme PHP files with malicious code by inducing a site administrator to click a forged link.

Recommendations Update to a version later than 1.2.9.2. As a temporary workaround, restrict access to the add plugins page() and add themes page() functions to minimize the risk of exploitation.