Skip to main content

WPIDE EUVDEUVD-2026-41321

| CVE-2026-57766 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-jq6p-fffc-h97g
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network CSRF needs no attacker privileges (PR:N) but requires an admin to click (UI:R); forged file writes yield full C/I/A impact, so 8.8.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:20 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE - File Manager & Code Editor <= 3.5.6 versions.

AnalysisAI

Cross-Site Request Forgery in the WPIDE - File Manager & Code Editor WordPress plugin (versions <= 3.5.6) allows a remote attacker to forge privileged requests that a logged-in administrator's browser executes without consent. Because WPIDE exposes filesystem read/write and code-editing functionality, a successful CSRF can lead to arbitrary file modification and effectively remote code execution on the WordPress host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious page with forged WPIDE request
Delivery
Lure logged-in WordPress admin to visit
Exploit
Browser auto-submits request with valid cookies
Execution
Plugin writes attacker PHP to server
Impact
Execute planted code for RCE

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress site running WPIDE - File Manager & Code Editor at version 3.5.6 or earlier with the plugin active, and it depends on an authenticated administrator (a user with WPIDE file-editing capability) being tricked into visiting attacker-controlled content while their WordPress session is valid - the UI:R metric in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) reflects network reach, low complexity, no attacker privileges, but required user interaction (UI:R) - the attacker holds no credentials but must lure an authenticated administrator into visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page (or email link) containing a hidden auto-submitting form or request targeting a WPIDE file-write action, then lures a WordPress administrator who is currently logged in to open it. The victim's browser silently submits the forged request with valid session cookies, causing WPIDE to write attacker-supplied PHP to the server, which the attacker then executes to gain control. …
Remediation No vendor-released patch version is identified in the available data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpide/vulnerability/wordpress-wpide-file-manager-code-editor-plugin-3-5-6-cross-site-request-forgery-csrf-vulnerability) covers versions <= 3.5.6, so upgrade to any later release the vendor publishes above 3.5.6 once available and confirm it addresses CWE-352. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

No vendor-released patch identified at time of analysis. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy