Skip to main content

Theme Editor CVE-2026-39640

| EUVDEUVD-2026-20300 CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-hgvj-3389-4m2h
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:07 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:23 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
9.6 (CRITICAL)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20300
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.

AnalysisAI

Cross-Site Request Forgery in WordPress Theme Editor plugin versions through 3.2 enables unauthenticated attackers to inject arbitrary code via social engineering, achieving remote code execution with critical scope change impact. The vulnerability requires user interaction but no authentication (CVSS PR:N/UI:R), creating a pathway from CSRF to complete site compromise. EPSS exploitation probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Theme Editor WordPress plugin (cpe:2.3:a:mndpsingh287:theme_editor) through version 3.2. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to implement proper anti-CSRF tokens or nonce validation on sensitive code modification endpoints. WordPress theme editors typically allow administrators to directly edit PHP template files, CSS, and JavaScript. Without CSRF protection, an attacker can craft malicious requests that, when executed by an authenticated administrator's browser, inject arbitrary PHP code into theme files. The CVSS scope change (S:C) indicates the vulnerability allows breaking out of the WordPress security context, as injected code executes with full web server privileges. The network attack vector (AV:N) combined with low complexity (AC:L) means exploitation requires only tricking an admin into visiting a malicious page while authenticated to WordPress.

RemediationAI

Upgrade the Theme Editor plugin to a version newer than 3.2 if available from the WordPress plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability. If no patched version exists or the plugin is no longer maintained, immediately disable and remove the Theme Editor plugin, as WordPress core includes built-in theme editing functionality for administrators (though disabling via DISALLOW_FILE_EDIT constant is recommended for production sites). As an interim mitigation if removal is not immediately feasible, implement web application firewall rules to block suspicious POST requests to theme editor endpoints, restrict WordPress admin access to trusted IP addresses, and educate administrators about CSRF risks including not clicking unknown links while logged into WordPress dashboards. Consult https://nvd.nist.gov/vuln/detail/CVE-2026-39640 for additional vendor guidance.

Share

CVE-2026-39640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy