Skip to main content

Theme Editor

2 CVEs product

Monthly

CVE-2026-39640 CRITICAL Act Now

Cross-Site Request Forgery in WordPress Theme Editor plugin versions through 3.2 enables unauthenticated attackers to inject arbitrary code via social engineering, achieving remote code execution with critical scope change impact. The vulnerability requires user interaction but no authentication (CVSS PR:N/UI:R), creating a pathway from CSRF to complete site compromise. EPSS exploitation probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis.

CSRF Theme Editor
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2021-24154 MEDIUM This Month

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal Information Disclosure Theme Editor
NVD WPScan
CVSS 3.1
4.9
EPSS
1.1%
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-Site Request Forgery in WordPress Theme Editor plugin versions through 3.2 enables unauthenticated attackers to inject arbitrary code via social engineering, achieving remote code execution with critical scope change impact. The vulnerability requires user interaction but no authentication (CVSS PR:N/UI:R), creating a pathway from CSRF to complete site compromise. EPSS exploitation probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis.

CSRF Theme Editor
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal Information Disclosure +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy