cleantalk
Vulnerabilities and Security Researches

WP Editor, CVE-2026-3772

CVE, Research URL

CVE-2026-3772

Home page URL

Security reports for WP Editor

Application

WP Editor

Published on
May 01, 2026
Research Description
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 1.2.9.3.
Status
vulnerable
Previous vulnerability researches
Advanced Product Fields (Product Addons) for WooCommerce (CVE-2025-13924) , Jan 11, 2026
Advanced Product Fields (Product Addons) for WooCommerce (CVE-2026-32457) , Mar 30, 2026
Advanced Product Fields (Product Addons) for WooCommerce (CVE-2026-39499) , May 02, 2026
New vulnerability
Salon booking system (CVE-2026-40768) , May 02, 2026
Automatic YouTube Gallery (CVE-2024-13362) , May 02, 2026
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2026-40794) , May 02, 2026
WP Time Slots Booking Form (CVE-2026-40791) , May 02, 2026
Min Max Default Quantity for WooCommerce (CVE-2026-39437) , May 02, 2026