Vulnerabilities and security researches forwp-editor wp-editor

Jun 06, 2024

CVE, Research URL: CVE-2016-10885
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 14, 2019
Research Description: The wp-editor plugin before 1.2.6 for WordPress has CSRF.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: CVE-2016-10886
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 14, 2019
Research Description: The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: CVE-2016-10877
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Aug 12, 2019
Research Description: The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS issues.
Affected versions: max 1.2.6.
Status: vulnerable

CVE, Research URL: CVE-2024-24700
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Rojas WP Editor allows Reflected XSS.This issue affects WP Editor: from n/a through 1.2.8.
Affected versions: max 1.2.9.
Status: vulnerable

CVE, Research URL: CVE-2024-25591
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Mar 17, 2024
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7.
Affected versions: max 1.2.8.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2021-24151
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Jan 16, 2024
Research Description: The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.
Affected versions: max 1.2.7.
Status: vulnerable

Sep 14, 2024

CVE, Research URL: CVE-2022-2446
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Sep 13, 2024
Research Description: The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: max 1.2.9.1.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-3294
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Apr 17, 2025
Research Description: The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.
Affected versions: max 1.2.9.2.
Status: vulnerable

CVE, Research URL: CVE-2025-3295
Home page URL: Security reports for WP Editor
Application: WP Editor
Date: Apr 17, 2025
Research Description: The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.
Affected versions: max 1.2.9.2.
Status: vulnerable