Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network CSRF needs no attacker privileges (PR:N) but requires an admin to click (UI:R); forged file writes yield full C/I/A impact, so 8.8.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE - File Manager & Code Editor <= 3.5.6 versions.
AnalysisAI
Cross-Site Request Forgery in the WPIDE - File Manager & Code Editor WordPress plugin (versions <= 3.5.6) allows a remote attacker to forge privileged requests that a logged-in administrator's browser executes without consent. Because WPIDE exposes filesystem read/write and code-editing functionality, a successful CSRF can lead to arbitrary file modification and effectively remote code execution on the WordPress host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress site running WPIDE - File Manager & Code Editor at version 3.5.6 or earlier with the plugin active, and it depends on an authenticated administrator (a user with WPIDE file-editing capability) being tricked into visiting attacker-controlled content while their WordPress session is valid - the UI:R metric in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) reflects network reach, low complexity, no attacker privileges, but required user interaction (UI:R) - the attacker holds no credentials but must lure an authenticated administrator into visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page (or email link) containing a hidden auto-submitting form or request targeting a WPIDE file-write action, then lures a WordPress administrator who is currently logged in to open it. The victim's browser silently submits the forged request with valid session cookies, causing WPIDE to write attacker-supplied PHP to the server, which the attacker then executes to gain control. … |
| Remediation | No vendor-released patch version is identified in the available data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpide/vulnerability/wordpress-wpide-file-manager-code-editor-plugin-3-5-6-cross-site-request-forgery-csrf-vulnerability) covers versions <= 3.5.6, so upgrade to any later release the vendor publishes above 3.5.6 once available and confirm it addresses CWE-352. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
No vendor-released patch identified at time of analysis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41321
GHSA-jq6p-fffc-h97g