WP Editor CSRF lets attackers overwrite plugin and theme files
TL;DR - WP Editor skips nonce verification in add_plugins_page() and add_themes_page(). Trick a logged-in admin into loading attacker-controlled content and you get a forged request that overwrites plugin or theme PHP with arbitrary code - persistent RCE from a single click.
What happened
WP Editor (slug wp-editor) is a WordPress plugin that surfaces a file editor for plugins and themes directly inside the admin UI.
CVE-2026-3772 describes a CSRF-to-RCE chain. Neither add_plugins_page() nor add_themes_page() performs nonce verification. Get an authenticated site admin to load attacker-controlled content - a link in an email, an iframe on a compromised page - and the forged request can rewrite any plugin or theme PHP file with code of your choosing.
| Item | Detail |
|---|---|
| Affected component | WordPress plugin WP Editor (wp-editor) |
| Affected versions | <= 1.2.9.2 |
| Patched version | 1.2.9.3 |
| Severity | CVSS 3.1 8.8 (High) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
WordPress file-editor bugs consistently lead to full site takeover. Writing PHP into the deployment gives you persistence - the payload survives cache flushes, plugin deactivation cycles, and most incident response playbooks that stop short of a full reinstall.
Who is impacted
- WordPress sites running
wp-editorat versions<= 1.2.9.2. - Highest risk: sites where admins browse the web while authenticated to wp-admin (normal behaviour) and where the WordPress process has write access to plugin and theme directories (common on shared and managed hosting).
What to do now
- Update immediately. Apply the patched release per vendor guidance:
"Remediation: Update to version 1.2.9.3, or a newer patched version"
- Inventory production WordPress instances for the
wp-editorplugin and confirm the installed version before assuming you're covered. - Treat any unpatched window as a potential unauthorised-change exposure:
- audit plugin and theme PHP files for unexpected modifications
- review web server logs and WordPress audit logs for suspicious requests to plugin and theme editor endpoints
- While patching, reduce blast radius:
- restrict wp-admin access at the network edge where feasible (IP allowlists, VPN, SSO enforcement)
- ensure admins use separate browser profiles and avoid opening untrusted links while authenticated to WordPress
Related
Research
- Cross-site request forgery (CSRF): how it works and how to defend itCross-site request forgery (CSRF) lets attackers reuse a victim's session cookie from another site. SameSite…
- Session management: secure cookies, rotation, and lifetimeSession management is the spine of authenticated web apps. Use HttpOnly, Secure, SameSite cookies, rotate on…
Training
- Session ManagementTokens, cookies, and state - keeping sessions secure in stateless architectures.
- Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
- Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.