cleantalk
Vulnerabilities and Security Researches

WP Editor, CVE-2026-3772

CVE, Research URL

CVE-2026-3772

Home page URL

Security reports for WP Editor

Application

WP Editor

Published on
May 01, 2026
Research Description
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 1.2.9.3.
Status
vulnerable
Previous vulnerability researches
Code Manager (8664b371437f11c6f159cff6b9367abd6c987589) , Jun 06, 2024
Code Manager (CVE-2022-4974) , Nov 16, 2024
Code Manager (CVE-2024-13362) , May 02, 2026
FluentSnippets – The High-Performance file based Custom Code Snippet Plugin (CVE-2025-54010) , Jul 18, 2025
Tracking Code Manager (CVE-2024-8721) , Dec 24, 2024
New vulnerability
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box (CVE-2024-13362) , May 02, 2026
WP fail2ban – Advanced Security Plugin (CVE-2024-13362) , May 02, 2026
Widgets on Pages (CVE-2024-13362) , May 02, 2026
Booking Calendar | Appointment Booking | BookIt (CVE-2026-40780) , May 02, 2026
WPIDE – File Manager & Code Editor (CVE-2024-13362) , May 02, 2026