Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
AnalysisAI
Cross-Site Request Forgery in WordPress Theme Editor plugin versions through 3.2 enables unauthenticated attackers to inject arbitrary code via social engineering, achieving remote code execution with critical scope change impact. The vulnerability requires user interaction but no authentication (CVSS PR:N/UI:R), creating a pathway from CSRF to complete site compromise. EPSS exploitation probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability affects the Theme Editor WordPress plugin (cpe:2.3:a:mndpsingh287:theme_editor) through version 3.2. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to implement proper anti-CSRF tokens or nonce validation on sensitive code modification endpoints. WordPress theme editors typically allow administrators to directly edit PHP template files, CSS, and JavaScript. Without CSRF protection, an attacker can craft malicious requests that, when executed by an authenticated administrator's browser, inject arbitrary PHP code into theme files. The CVSS scope change (S:C) indicates the vulnerability allows breaking out of the WordPress security context, as injected code executes with full web server privileges. The network attack vector (AV:N) combined with low complexity (AC:L) means exploitation requires only tricking an admin into visiting a malicious page while authenticated to WordPress.
RemediationAI
Upgrade the Theme Editor plugin to a version newer than 3.2 if available from the WordPress plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability. If no patched version exists or the plugin is no longer maintained, immediately disable and remove the Theme Editor plugin, as WordPress core includes built-in theme editing functionality for administrators (though disabling via DISALLOW_FILE_EDIT constant is recommended for production sites). As an interim mitigation if removal is not immediately feasible, implement web application firewall rules to block suspicious POST requests to theme editor endpoints, restrict WordPress admin access to trusted IP addresses, and educate administrators about CSRF risks including not clicking unknown links while logged into WordPress dashboards. Consult https://nvd.nist.gov/vuln/detail/CVE-2026-39640 for additional vendor guidance.
More in Theme Editor
View allSame weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20300
GHSA-hgvj-3389-4m2h