CVE-2026-3772 Overview
CVE-2026-3772 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Editor plugin for WordPress in all versions up to and including 1.2.9.2. The flaw exists in the add_plugins_page and add_themes_page functions, which lack nonce verification before processing file modification requests. An unauthenticated attacker who tricks a site administrator into clicking a crafted link can overwrite arbitrary plugin and theme PHP files with attacker-controlled code. Successful exploitation leads to arbitrary PHP code execution on the affected WordPress site, enabling full site compromise. The issue is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
Attackers can overwrite plugin and theme PHP files with malicious code by tricking an administrator into clicking a forged request, resulting in remote code execution and full site takeover.
Affected Products
- WP Editor plugin for WordPress, all versions up to and including 1.2.9.2
- WordPress sites with an authenticated administrator session active in the browser
- Sites that have not applied the fix introduced in WordPress Changeset #3480577
Discovery Timeline
- 2026-05-01 - CVE CVE-2026-3772 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-3772
Vulnerability Analysis
The WP Editor plugin provides administrators with an in-dashboard editor for plugin and theme PHP files. The add_plugins_page function in WPEditorPlugins.php and the add_themes_page function in WPEditorThemes.php accept POST data containing a target file path and replacement file contents, then write the supplied content directly to disk.
Neither function calls wp_verify_nonce() or check_admin_referer() before performing the write. WordPress relies on nonce tokens to prove that a state-changing request originated from an intentional administrator action. Without that check, the request is processed solely on the basis of the administrator's session cookie, which the browser attaches automatically to any cross-origin request.
An attacker hosts a page or comment containing a hidden form or fetch() call targeting the vulnerable endpoint. When an authenticated administrator visits the attacker's content, the browser submits the forged request and the plugin overwrites the targeted PHP file. Because the written content is executed by the WordPress runtime, the attacker gains arbitrary code execution under the web server account.
Root Cause
The root cause is missing CSRF protection [CWE-352] on file write handlers. The vulnerable functions trust the request because the user is authenticated, but they do not validate that the user intentionally initiated the request. See the vulnerable handlers in WPEditorPlugins.php line 60 and WPEditorThemes.php line 103.
Attack Vector
Exploitation is network-based and requires user interaction. The attacker crafts a malicious page that auto-submits a POST request to /wp-admin/admin.php with parameters targeting the WP Editor save handler. The attacker delivers the link through phishing, a comment, or a third-party site visited by an administrator. No attacker authentication is required.
The vulnerability is described in prose only because no public proof-of-concept code has been verified. Refer to the Wordfence Vulnerability Analysis for additional technical context.
Detection Methods for CVE-2026-3772
Indicators of Compromise
- Recent modification timestamps on PHP files inside wp-content/plugins/ or wp-content/themes/ directories that do not match a known update window.
- Unexpected PHP code such as eval(), base64_decode(), assert(), or outbound file_get_contents() calls inserted into legitimate plugin or theme files.
- Web server access log entries showing POST requests to wp-admin/admin.php with page=wp-editor parameters originating from an external Referer header.
- New administrator accounts, scheduled tasks, or cron jobs created shortly after a suspicious POST to the WP Editor endpoint.
Detection Strategies
- Compare on-disk plugin and theme files against the official distribution checksums to identify unauthorized modifications.
- Alert on POST requests to WP Editor endpoints where the HTTP Referer header is missing or points to an external domain.
- Monitor file integrity on wp-content/plugins/ and wp-content/themes/ and treat any change outside an approved maintenance window as suspicious.
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs into a centralized SIEM for correlation against administrator session activity.
- Track administrator browser sessions for cross-site POST submissions to admin endpoints.
- Review newly created or modified PHP files daily and validate them against version control or backup baselines.
How to Mitigate CVE-2026-3772
Immediate Actions Required
- Deactivate and remove the WP Editor plugin on any site running version 1.2.9.2 or earlier until a patched version is installed.
- Audit all plugin and theme PHP files for unauthorized modifications and restore from a known-good backup if tampering is found.
- Force a password reset for all administrator accounts and invalidate active sessions to terminate any hijacked nonce-less request capability.
- Restrict access to /wp-admin/ by IP address or VPN where operationally feasible to reduce exposure to forged requests.
Patch Information
The vendor addressed the missing nonce checks in WordPress Changeset #3480577. Update WP Editor to a version released after this changeset. Verify the installed version in the WordPress plugin management dashboard after applying the update.
Workarounds
- Remove the WP Editor plugin entirely if it is not actively used; the built-in WordPress file editor can be disabled by setting DISALLOW_FILE_EDIT to true in wp-config.php.
- Deploy a Web Application Firewall (WAF) rule that requires a valid Referer matching the site's own domain on POST requests to /wp-admin/admin.php?page=wp-editor*.
- Train administrators to avoid clicking unsolicited links while logged into the WordPress dashboard and use a separate browser profile for administrative tasks.
# Disable file editing in WordPress as a defense-in-depth measure
# Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
