cleantalk
Vulnerabilities and Security Researches

Theme Editor, CVE-2022-2440

CVE, Research URL

CVE-2022-2440

Home page URL

Security reports for Theme Editor

Application

Theme Editor

Published on
Aug 29, 2024
Research Description
Theme Editor [theme-editor] < 2.9 CVE-2022-2440 [en] The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions
max 2.9.
Status
vulnerable
Previous vulnerability researches
Theme Editor (CVE-2022-2440) , Aug 29, 2024
Theme Editor (CVE-2025-9890) , Nov 10, 2025
Theme Editor (CVE-2023-6091) , Jun 07, 2024
Theme Editor (CVE-2021-24154) , Jun 07, 2024
New vulnerability
MultiVendorX Marketplace &#8211; WooCommerce MultiVendor Marketplace Solution (CVE-2025-49916) , Nov 10, 2025
Backuply &#8211; Backup, Restore, Migrate and Clone (CVE-2025-10307) , Nov 10, 2025
WP Mapbox GL JS Maps (CVE-2025-62942) , Nov 10, 2025
Zip Attachments (CVE-2025-11701) , Nov 10, 2025
Zip Attachments (CVE-2025-11692) , Nov 10, 2025