Vulnerabilities and security researches fortheme-editor theme-editor

Nov 10, 2025

CVE, Research URL: CVE-2025-9890
Home page URL: Security reports for Theme Editor
Application: Theme Editor
Date: Oct 18, 2025
Research Description: The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.1.
Status: vulnerable

Aug 29, 2024

CVE, Research URL: CVE-2022-2440
Home page URL: Security reports for Theme Editor
Application: Theme Editor
Date: Aug 29, 2024
Research Description: Theme Editor [theme-editor] < 2.9 CVE-2022-2440 [en] The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: max 2.9.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-6091
Home page URL: Security reports for Theme Editor
Application: Theme Editor
Date: Mar 27, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in mndpsingh287 Theme Editor.This issue affects Theme Editor: from n/a through 2.7.1.
Affected versions: max 2.8.
Status: vulnerable

CVE, Research URL: CVE-2021-24154
Home page URL: Security reports for Theme Editor
Application: Theme Editor
Date: Apr 06, 2021
Research Description: The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd
Affected versions: max 2.2.
Status: vulnerable