WordPress Plugin Vulnerabilities

Theme Editor < 2.2 - Multiple Vulnerabilities

Description

Versions 2.1 and lower of the "theme-editor" plugin are affected by multiple vulnerabilities such as CSRF, insufficient permission checking, arbitrary file upload and the ability to interact with folders/files on the server in most ways you can imagine. These vulnerabilities (aside from CSRF) require access to any account, regardless of its role.

Affects Plugins

Plugin icon
theme-editor
Fixed in 2.2

References

URL
https://www.webarxsecurity.com/wordpress-theme-editor-plugin-multiple-vulnerabilities/

Miscellaneous

Original Researcher
WebARX
Submitter
Dave
Submitter website
https://www.webarxsecurity.com
Submitter twitter
webarx_security
Verified
No
WPVDB ID
9b660e2e-5cf8-4cf2-a307-989e150c37f9

Timeline

Publicly Published
2019-09-30 (about 6 years ago)
Added
2019-09-30 (about 6 years ago)
Last Updated
2021-02-01 (about 5 years ago)

Other

Published
Title
Published
2019-07-01
Title
Newsletter Lite < 4.6.19 - Multiple Issues
Published
2017-09-16
Title
Post Pay Counter < 2.731 - PHP Obj Injection & Access Control Issues
Published
2015-09-17
Title
ALO EasyMail Newsletter <= 2.6.00 - Cross-Site Scripting (XSS) & CSRF
Published
2019-07-19
Title
Adaptive Images for WordPress <= 0.6.66 - Local File Inclusion & Deletion
Published
2018-12-04
Title
Arigato Autoresponder and Newsletter < 2.5.2 - Authenticated Blind SQL Injection & Multiple XSS