Wp Editor

wp_editor

CVEs (7)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-3295 1Benjaminrojas 1Wp Editor Jun 17, 2026 Apr 17, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to rea...Show more The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.Show less
CVE-2025-3294 1Benjaminrojas 1Wp Editor Jun 17, 2026 Apr 17, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Admini...Show more The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.Show less
CVE-2022-2446 1Benjaminrojas 1Wp Editor Jun 17, 2026 Sep 13, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers wit...Show more The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.Show less
CVE-2024-25591 1Benjaminrojas 1Wp Editor Jun 17, 2026 Mar 17, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7.
CVE-2021-24151 1Benjaminrojas 1Wp Editor Jun 17, 2026 Jan 16, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the sett...Show more The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.Show less
CVE-2016-10886 1Benjaminrojas 1Wp Editor Nov 21, 2024 Aug 14, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions.
CVE-2016-10885 1Benjaminrojas 1Wp Editor Nov 21, 2024 Aug 14, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The wp-editor plugin before 1.2.6 for WordPress has CSRF.