Vulnerabilities and security researches forwp-editor wp-editor

Jun 06, 2024

CVE, Research URL: CVE-2016-10885
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 14, 2019
Research Description: The wp-editor plugin before 1.2.6 for WordPress has CSRF.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: CVE-2016-10886
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 14, 2019
Research Description: The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: CVE-2016-10877
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 12, 2019
Research Description: The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.
Affected versions: max 1.2.6.3.
Status: vulnerable

CVE, Research URL: CVE-2024-24700
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Rojas WP Editor allows Reflected XSS.This issue affects WP Editor: from n/a through 1.2.8.
Affected versions: max 1.2.9.
Status: vulnerable

CVE, Research URL: CVE-2024-25591
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Mar 17, 2024
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7.
Affected versions: max 1.2.8.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2021-24151
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Jan 16, 2024
Research Description: The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.
Affected versions: max 1.2.7.
Status: vulnerable

Sep 14, 2024

CVE, Research URL: CVE-2022-2446
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Sep 13, 2024
Research Description: The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: max 1.2.9.1.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-3294
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Apr 17, 2025
Research Description: The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.
Affected versions: max 1.2.9.2.
Status: vulnerable

CVE, Research URL: CVE-2025-3295
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Apr 17, 2025
Research Description: The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.
Affected versions: max 1.2.9.2.
Status: vulnerable

May 02, 2026

CVE, Research URL: CVE-2026-3772
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: May 01, 2026
Research Description: The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions: max 1.2.9.3.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: 17808b612d476307eed11de3864d0e6196686f22
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Feb 02, 2021
Research Description: WP Editor [wp-editor] < 1.2.7 WordPress WP Editor plugin <= 1.2.6.3 - SQL injection (SQLi) vulnerability SQL injection (SQLi) vulnerability found by Nguyen Van Khanh in WordPress WP Editor plugin (versions <= 1.2.6.3).
Affected versions: max 1.2.7.
Status: vulnerable

CVE, Research URL: 9f554258dccf197d2aef6c675e863309c8c23908
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Oct 05, 2016
Research Description: WP Editor [wp-editor] < 1.2.6.3 WordPress Editor Plugin <= 1.2.6.2 - Multiple Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Update the plugin.
Affected versions: max 1.2.6.3.
Status: vulnerable

CVE, Research URL: 57bcaf52c81e37e52179a1bc19ff300383498acc
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: May 12, 2017
Research Description: WP Editor [wp-editor] < 1.2.6 WordPress WP Editor plugin <= 1.2.5.3 - Authenticated File Modification Vulnerability Authenticated File Modification Vulnerability was found in WordPress WP Editor plugin in 1.2.5.3 version. Any logged in user can edit files because there's no check for that. Update the plugin.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: 9bd82df3361111ce1d4cf7e25e54197d57e5fcf7
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: May 12, 2017
Research Description: WP Editor [wp-editor] < 1.2.6 WordPress WP Editor plugin <= 1.2.5.3 - Authenticated Arbitrary File Upload vulnerability WordPress WP Editor plugin Authenticated Arbitrary File Upload vulnerability is in upload_files AJAX function. A user with subscriber or higher role can upload the chosen file to the root directory. Update the plugin.
Affected versions: max 1.2.6.
Status: vulnerable