{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39640", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.491Z", "datePublished": "2026-04-08T08:30:31.919Z", "dateUpdated": "2026-04-08T08:30:31.919Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "theme-editor", "product": "Theme Editor", "vendor": "mndpsingh287", "versions": [{"lessThanOrEqual": "3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.224Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.<p>This issue affects Theme Editor: from n/a through <= 3.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:31.919Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability?_s_id=cve"}], "title": "WordPress Theme Editor plugin <= 3.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2."}], "id": "CVE-2026-39640", "lastModified": "2026-04-08T09:16:34.803", "metrics": {}, "published": "2026-04-08T09:16:34.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Theme Editor", "source": "cna", "vendor": "mndpsingh287"}, "product": "theme_editor", "vendor": "mndpsingh287"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:08:56.274851+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Theme Editor plugin (greater than 3.2).", "If the plugin is not required, permanently delete it from the WordPress installation.", "Disable the Theme Editor feature for all user roles that do not need it.", "Monitor logs for suspicious file modifications or unauthorized HTTP requests.", "Verify that no third\u2011party code injection points remain after updating."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress Theme Editor plugin (vendor mndpsingh287) in all releases up to version 3.2. Any site running the plugin in this range is vulnerable, regardless of the WordPress core version.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery flaw that permits an attacker to inject arbitrary code through the Theme Editor plugin's form processing. This flaw enables remote code execution on the affected WordPress site, letting an attacker modify files, install malware, or gain full administrative control. The weakness is a classic CSRF\u2011based code injection, classified under CWE\u2011352.", "risk_and_exploitability": "The known CVSS score is not listed, but the absence of an EPSS rating suggests it has not yet been widely exploited. The attack vector is inferred to be an HTTP request that an authenticated or able\u2011to\u2011forge request from a logged\u2011in user can trigger. Because the exploit delivers arbitrary code, the potential impact scales from local file modification to full server takeover, making the risk high for any site that contains sensitive data or user interactions."}}}}, "created": "2026-04-08T19:29:21.530622+00:00", "updated": "2026-04-08T19:41:34.964148+00:00", "vendors": ["mndpsingh287", "mndpsingh287$PRODUCT$theme_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}