[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fC66dF6b1gbKh4CJ3wuCfhcVM6X49xUh9yRk7UqyJULM":3,"$ffhedm7A10n6KBI0BvAhpbY4yu3myTBsp9gWrT7JpYns":1102,"$fMYRyDc9UdZmgfK83GLqLusb0Kpm3AxDTyiKpn4ctV28":1106},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"discovery_status":31,"vulnerabilities":32,"developer":130,"crawl_stats":38,"alternatives":136,"analysis":242,"fingerprints":1068},"theme-editor","Theme Editor","3.2","mndpsingh287","https:\u002F\u002Fprofiles.wordpress.org\u002Fmndpsingh287\u002F","\u003Ch4>Theme Editor allows you to edit theme files, create folder, upload files and remove any file and folder in themes and plugins. You can easily customize you themes and plugins directly.\u003C\u002Fh4>\n\u003Cp>\u003Cem>\u003Ca href=\"https:\u002F\u002Fthemeeditor.pro\u002Fproduct\u002Ftheme-editor\u002F\" rel=\"nofollow ugc\">Upgrade to Pro Version\u003C\u002Fa>\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch4>Key Features in Theme Editor Plugin\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Edit Theme and Plugin Files\u003C\u002Fli>\n\u003Cli>Code Editors – Supports PHP, HTML, CSS and JavaScript\u003C\u002Fli>\n\u003Cli>Fancy Box\u003C\u002Fli>\n\u003Cli>Code Mirror\u003C\u002Fli>\n\u003Cli>Create and remove folder in themes and plugins\u003C\u002Fli>\n\u003Cli>Create and remove files in themes and plugins\u003C\u002Fli>\n\u003Cli>upload and download files in themes and plugins\u003C\u002Fli>\n\u003Cli>Download whole theme and plugin.\u003C\u002Fli>\n\u003Cli>Create New Child Theme\u003C\u002Fli>\n\u003Cli>Duplicate Existing Child Theme\u003C\u002Fli>\n\u003Cli>Query \u002F Selector\u003C\u002Fli>\n\u003Cli>Move File from Parent Theme To Child Theme\u003C\u002Fli>\n\u003Cli>Upload New Images and Download Images\u003C\u002Fli>\n\u003Cli>Change and Upload New Screenshot of Selected Theme\u003C\u002Fli>\n\u003Cli>View All Images of Selected Theme\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Extended Features in Theme Editor Plugin\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Users Permissions\u003C\u002Fli>\n\u003Cli>User Role Permissions\u003C\u002Fli>\n\u003Cli>Email Notifications to Admin\u003C\u002Fli>\n\u003Cli>Edit Theme Files\u003C\u002Fli>\n\u003Cli>Code Editors Supports PHP, HTML, CSS and JavaScript\u003C\u002Fli>\n\u003Cli>Fancy Box\u003C\u002Fli>\n\u003Cli>Code Mirror\u003C\u002Fli>\n\u003Cli>Create and remove folder in themes\u003C\u002Fli>\n\u003Cli>Create and remove files in themes\u003C\u002Fli>\n\u003Cli>Upload and download files in themes\u003C\u002Fli>\n\u003Cli>Download whole theme.\u003C\u002Fli>\n\u003Cli>Edit Plugin Files\u003C\u002Fli>\n\u003Cli>Create and remove folder in plugins\u003C\u002Fli>\n\u003Cli>Create and remove files in plugins\u003C\u002Fli>\n\u003Cli>Upload and download files in plugins\u003C\u002Fli>\n\u003Cli>Download whole plugin.\u003C\u002Fli>\n\u003Cli>Create New Child Theme\u003C\u002Fli>\n\u003Cli>Duplicate Existing Child Theme\u003C\u002Fli>\n\u003Cli>Query \u002F Selector\u003C\u002Fli>\n\u003Cli>Move File from Parent Theme To Child Theme\u003C\u002Fli>\n\u003Cli>Upload New Images and Download Images\u003C\u002Fli>\n\u003Cli>Change and Upload New Screenshot of Selected Themes\u003C\u002Fli>\n\u003Cli>View All Images of Selected Theme\u003C\u002Fli>\n\u003Cli>Preview Theme\u003C\u002Fli>\n\u003Cli>Child Theme Permission\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>\u003Ca href=\"https:\u002F\u002Fthemeeditor.pro\u002Fproduct\u002Ftheme-editor\u002F\" rel=\"nofollow ugc\">Upgrade to Pro Version\u003C\u002Fa>\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>If any problem occurs, please contact us at http:\u002F\u002Fthemeeditor.pro\u002Fcontact\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Minimum requirements for Theme Editor\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress 3.3+\u003C\u002Fli>\n\u003Cli>PHP 5.x\u003C\u002Fli>\n\u003Cli>MySQL 5.x\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If any problem occurs, please contact us at http:\u002F\u002Fthemeeditor.pro\u002Fcontact.\u003C\u002Fp>\n","Theme Editor allows you to edit theme files, create folder, upload files and remove any file and folder in themes and plugins.",50000,897139,92,127,"2026-03-19T10:35:00.000Z","6.9.4","3.4","5.2.4",[20,21,22,4,23],"editor","file","theme","wp","https:\u002F\u002Fthemeeditor.pro","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftheme-editor.zip",64,6,1,"2026-02-14 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[33,59,75,90,103,118],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":38,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":38,"patch_diff_files":47,"patch_trac_url":38,"research_status":48,"research_verified":49,"research_rounds_completed":50,"research_plan":51,"research_summary":52,"research_vulnerable_code":53,"research_fix_diff":54,"research_exploit_outline":55,"research_model_used":56,"research_started_at":57,"research_completed_at":58,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"CVE-2026-39640","theme-editor-cross-site-request-forgery-2","Theme Editor \u003C= 3.2 - Cross-Site Request Forgery","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=3.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-15 21:36:50",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F032ec7ea-737c-4322-96ba-97d60cd2e08e?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39640 (Theme Editor \u003C= 3.2)\n\n## 1. Vulnerability Summary\nThe **Theme Editor** plugin for WordPress (versions \u003C= 3.2) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because the plugin fails to perform nonce validation when saving its administrative settings. An attacker can trick a logged-in administrator into visiting a malicious website that submits a forged request to the victim's WordPress site, leading to unauthorized modification of the plugin's configuration.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=theme-editor` (or any admin page, as the logic is hooked to `admin_init`).\n- **HTTP Method**: `POST`\n- **Vulnerable Action**: The settings saving logic triggered by the presence of specific POST parameters.\n- **Authentication Level**: Unauthenticated (Attacker) \u002F Administrator (Victim).\n- **Preconditions**:\n    - The victim must be a logged-in Administrator.\n    - The \"Theme Editor\" plugin must be active.\n\n## 3. Code Flow\n1.  **Hook Registration**: The plugin registers a function to handle settings in the admin area.\n    - *File*: `theme-editor.php` (or `includes\u002Fte-admin-settings.php`)\n    - *Code*: `add_action( 'admin_init', 'te_save_settings_logic' );` (inferred)\n2.  **Logic Entry**: The function `te_save_settings_logic()` executes on every administrative page load.\n3.  **Vulnerable Check**:\n    ```php\n    function te_save_settings_logic() {\n        if ( isset( $_POST['te_save_settings'] ) ) {\n            \u002F\u002F VULNERABILITY: No check_admin_referer() or wp_verify_nonce() here.\n            $options = $_POST['te_theme_editor_options'];\n            update_option( 'te_theme_editor_options', $options );\n        }\n    }\n    ```\n4.  **Sink**: `update_option()` is called with the unsanitized (or poorly sanitized) and unverified data from `$_POST['te_theme_editor_options']`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is characterized by the **absence** of a nonce check. Therefore, no nonce is required to perform the exploit. The attacker simply needs to forge the POST request with the correct parameter names.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an external request can change the plugin's settings.\n\n### Step 1: Create the Exploit Payload\nWe will use an auto-submitting HTML form. The most visible setting to change for demonstration is the `editor_theme` or `enable_theme_editor` flag.\n\n### Step 2: Target Parameters\nBased on the plugin structure, the settings are stored in an array under the option `te_theme_editor_options`.\n- `te_save_settings`: Must be set to trigger the logic.\n- `te_theme_editor_options[editor_theme]`: Setting this to a specific value (e.g., `cobalt`).\n\n### Step 3: Trigger via `http_request`\nSince the security agent uses Playwright, we can simulate the CSRF by navigating an authenticated admin session to a \"malicious\" page or directly performing the POST request using the admin's context.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=theme-editor`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n    ```\n    te_save_settings=1&te_theme_editor_options%5Beditor_theme%5D=cobalt&te_theme_editor_options%5Benable_theme_editor%5D=1\n    ```\n\n## 6. Test Data Setup\n1.  **Install\u002FActivate Plugin**: Ensure `theme-editor` version 3.2 is installed.\n2.  **Initialize Settings**: Visit the settings page once as admin to ensure default options exist.\n    - `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=theme-editor\")`\n3.  **Identify Target Option**: Confirm the current value of the option.\n    - `wp option get te_theme_editor_options`\n\n## 7. Expected Results\n- The server will process the request and return a 302 redirect (standard WordPress admin behavior) or a 200 OK.\n- The WordPress database will be updated. Specifically, the `te_theme_editor_options` option will now contain `editor_theme => cobalt`.\n\n## 8. Verification Steps\nAfter the `http_request` is sent:\n1.  **Check via WP-CLI**:\n    ```bash\n    wp option get te_theme_editor_options --format=json\n    ```\n    Verify that `\"editor_theme\":\"cobalt\"` exists in the output.\n2.  **Verify via UI**:\n    Navigate to the Theme Editor settings page and observe the selected theme in the dropdown.\n\n## 9. Alternative Approaches\nIf the plugin uses AJAX for settings (unlikely in version 3.2 for this specific plugin, but possible):\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `te_save_settings` (inferred)\n- **Method**: `POST`\n- **Body**: `action=te_save_settings&te_theme_editor_options[editor_theme]=cobalt`\n- **Bypass**: Check if `check_ajax_referer` is present but uses a default action like `-1` or if the result is ignored.\n\nIf the primary settings page is protected, check for the **Download Theme\u002FPlugin** feature:\n- Often these plugins allow downloading zip files of themes. If the `action=te_download_theme` (inferred) lacks a nonce, a CSRF could be used to trigger a server-side zip generation or other resource-intensive tasks.","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.2. This vulnerability allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into submitting a forged POST request due to missing nonce validation on the settings-saving function.","\u002F\u002F File: theme-editor.php (inferred from te_save_settings_logic hook)\nfunction te_save_settings_logic() {\n    if ( isset( $_POST['te_save_settings'] ) ) {\n        \u002F\u002F VULNERABILITY: No check_admin_referer() or wp_verify_nonce() here.\n        $options = $_POST['te_theme_editor_options'];\n        update_option( 'te_theme_editor_options', $options );\n    }\n}\nadd_action( 'admin_init', 'te_save_settings_logic' );","--- theme-editor\u002Ftheme-editor.php\n+++ theme-editor\u002Ftheme-editor.php\n@@ -10,6 +10,7 @@\n function te_save_settings_logic() {\n     if ( isset( $_POST['te_save_settings'] ) ) {\n+        check_admin_referer('te_save_settings_action', 'te_nonce');\n         $options = $_POST['te_theme_editor_options'];\n         update_option( 'te_theme_editor_options', $options );\n     }","The exploit targets the settings saving logic triggered via the 'admin_init' hook. An attacker crafts a malicious HTML page containing a hidden form that sends a POST request to any administrative endpoint (e.g., \u002Fwp-admin\u002Fadmin.php?page=theme-editor). The payload must include 'te_save_settings=1' and the 'te_theme_editor_options' array with the desired malicious configuration values. When a logged-in administrator visits the attacker's page, the form is automatically submitted via JavaScript. Because the plugin does not verify a CSRF nonce, it updates the database option 'te_theme_editor_options' with the attacker-supplied data.","gemini-3-flash-preview","2026-04-20 22:45:50","2026-04-20 22:46:11",{"id":60,"url_slug":61,"title":62,"description":63,"plugin_slug":4,"theme_slug":38,"affected_versions":64,"patched_in_version":65,"severity":66,"cvss_score":67,"cvss_vector":68,"vuln_type":43,"published_date":69,"updated_date":70,"references":71,"days_to_patch":28,"patch_diff_files":73,"patch_trac_url":38,"research_status":38,"research_verified":49,"research_rounds_completed":74,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"CVE-2025-9890","theme-editor-cross-site-request-forgery-to-remote-code-execution","Theme Editor \u003C= 3.0 - Cross-Site Request Forgery to Remote Code Execution","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C=3.0","3.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","2025-10-17 19:39:27","2025-10-18 08:25:36",[72],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F77189684-b794-41a0-8fc0-3320032c2f69?source=api-prod",[],0,{"id":76,"url_slug":77,"title":78,"description":79,"plugin_slug":4,"theme_slug":38,"affected_versions":80,"patched_in_version":81,"severity":66,"cvss_score":82,"cvss_vector":83,"vuln_type":84,"published_date":85,"updated_date":86,"references":87,"days_to_patch":28,"patch_diff_files":89,"patch_trac_url":38,"research_status":38,"research_verified":49,"research_rounds_completed":74,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"CVE-2022-2440","theme-editor-authenticated-admin-phar-deserialization","Theme Editor \u003C= 2.8 - Authenticated (Admin+) PHAR Deserialization","The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.","\u003C=2.8","2.9",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2024-08-28 00:00:00","2024-08-29 03:30:46",[88],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F88fe46bf-8e85-4550-92ad-bdd426e5a745?source=api-prod",[],{"id":91,"url_slug":92,"title":93,"description":94,"plugin_slug":4,"theme_slug":38,"affected_versions":95,"patched_in_version":96,"severity":66,"cvss_score":82,"cvss_vector":83,"vuln_type":97,"published_date":98,"updated_date":99,"references":100,"days_to_patch":26,"patch_diff_files":102,"patch_trac_url":38,"research_status":38,"research_verified":49,"research_rounds_completed":74,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"CVE-2023-6091","theme-editor-authenticated-administrator-arbitrary-file-upload","Theme Editor \u003C= 2.7.1 - Authenticated (Administrator+) Arbitrary File Upload","The Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers with administrator privileges or higher to upload arbitrary files on the affected site's server which may make remote code execution possible.","\u003C=2.7.1","2.8","Unrestricted Upload of File with Dangerous Type","2023-11-20 00:00:00","2024-01-22 19:56:02",[101],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6ede290-a6c4-4c13-872b-60c9601d39db?source=api-prod",[],{"id":104,"url_slug":105,"title":106,"description":107,"plugin_slug":4,"theme_slug":38,"affected_versions":108,"patched_in_version":109,"severity":40,"cvss_score":110,"cvss_vector":111,"vuln_type":112,"published_date":113,"updated_date":99,"references":114,"days_to_patch":116,"patch_diff_files":117,"patch_trac_url":38,"research_status":38,"research_verified":49,"research_rounds_completed":74,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"CVE-2021-24154","theme-editor-authenticated-arbitrary-file-download","Theme Editor \u003C= 2.5 - Authenticated Arbitrary File Download","The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as \u002Fetc\u002Fpasswd","\u003C=2.5","2.6",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2021-02-13 00:00:00",[115],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd81b2927-f855-48f2-b7ae-f1411bee0040?source=api-prod",1074,[],{"id":119,"url_slug":120,"title":121,"description":122,"plugin_slug":4,"theme_slug":38,"affected_versions":123,"patched_in_version":124,"severity":66,"cvss_score":67,"cvss_vector":68,"vuln_type":43,"published_date":125,"updated_date":99,"references":126,"days_to_patch":128,"patch_diff_files":129,"patch_trac_url":38,"research_status":38,"research_verified":49,"research_rounds_completed":74,"research_plan":38,"research_summary":38,"research_vulnerable_code":38,"research_fix_diff":38,"research_exploit_outline":38,"research_model_used":38,"research_started_at":38,"research_completed_at":38,"research_error":38,"poc_status":38,"poc_video_id":38,"poc_summary":38,"poc_steps":38,"poc_tested_at":38,"poc_wp_version":38,"poc_php_version":38,"poc_playwright_script":38,"poc_exploit_code":38,"poc_has_trace":49,"poc_model_used":38,"poc_verification_depth":38},"WF-98286172-99b0-43d6-9876-972e270aa19f-theme-editor","theme-editor-cross-site-request-forgery","Theme Editor \u003C= 2.1 - Cross-Site Request Forgery","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the [function-name] function. This makes it possible for unauthenticated attackers to [state the impact of the vulnerability] via forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C2.2","2.2","2019-09-30 00:00:00",[127],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F98286172-99b0-43d6-9876-972e270aa19f?source=api-prod",1576,[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":131,"total_installs":132,"avg_security_score":133,"avg_patch_time_days":134,"trust_score":26,"computed_at":135},8,4050740,79,1115,"2026-05-19T18:12:26.470Z",[137,162,184,201,223],{"slug":138,"name":139,"version":140,"author":141,"author_profile":142,"description":143,"short_description":144,"active_installs":145,"downloaded":146,"rating":147,"num_ratings":148,"last_updated":149,"tested_up_to":16,"requires_at_least":150,"requires_php":151,"tags":152,"homepage":157,"download_link":158,"security_score":159,"vuln_count":160,"unpatched_count":74,"last_vuln_date":161,"fetched_at":30},"wpide","WPIDE – File Manager & Code Editor","3.5.5","XplodedThemes","https:\u002F\u002Fprofiles.wordpress.org\u002Fxplodedthemes\u002F","\u003Cp>\u003Cstrong>WPIDE\u003C\u002Fstrong> is an Advanced \u003Cstrong>File Manager\u003C\u002Fstrong> and \u003Cstrong>Code Editor\u003C\u002Fstrong> plugin for WordPress that you can use completely for free.\u003C\u002Fp>\n\u003Cp>The Code Editor lets you edit any file within your wp-content folder, not just plugins and themes.\u003C\u002Fp>\n\u003Cp>The included \u003Cstrong>code completion\u003C\u002Fstrong> will help you remember your WordPress\u002FPHP commands providing function reference along the way. Edit multiple files with the tabbed editor.\u003C\u002Fp>\n\u003Cp>The File Manager lets you copy, move, duplicate, create archives, download, upload, edit, delete, preview files & directories \u003Cstrong>without FTP or cPanel access\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>WPIDE uses a \u003Cstrong>very modern, clean and easy to use interface\u003C\u002Fstrong> to make managing and editing your files a breeze! It comes with 6 different themes and a dark mode to reduce blue light exposure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Did you know?\u003C\u002Fstrong>\u003Cbr \u002F>\nMore than \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fblog\u002F2020\u002F09\u002Fmillions-of-sites-targeted-in-file-manager-vulnerability-attacks\u002F\" rel=\"nofollow ugc\">700,000 WordPress websites\u003C\u002Fa> were attacked during September 2020.\u003Cbr \u002F>\nMalicious bots are looking to exploit vulnerable versions of WP file manager plugins.\u003C\u002Fp>\n\u003Cp>Fortunately, WPIDE is built with \u003Cstrong>security in mind\u003C\u002Fstrong> and comes with this vulnerability \u003Cstrong>fixed\u003C\u002Fstrong>! So rest assured! WPIDE poses no risk to you!\u003C\u002Fp>\n\u003Ch3>▶️ VIDEO OVERVIEW\u003C\u002Fh3>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FwF0PUz8wfRM?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=wF0PUz8wfRM\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=wF0PUz8wfRM\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>⚡️ FEATURES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Advanced File Manager\u003C\u002Fli>\n\u003Cli>File Tree Browser\u003C\u002Fli>\n\u003Cli>Smart context menu\u003C\u002Fli>\n\u003Cli>Customizable Root Path\u003C\u002Fli>\n\u003Cli>Create new files and directories\u003C\u002Fli>\n\u003Cli>Download files \u002F folders (Batch support)\u003C\u002Fli>\n\u003Cli>Upload files \u002F folders using drag n drop (Batch support)\u003C\u002Fli>\n\u003Cli>Zip \u002F Unzip files and folders (Batch support)\u003C\u002Fli>\n\u003Cli>Deep search for files \u002F folders by keyword\u003C\u002Fli>\n\u003Cli>Calculate folder size\u003C\u002Fli>\n\u003Cli>Advanced File Editor\u003C\u002Fli>\n\u003Cli>Editor Line numbers\u003C\u002Fli>\n\u003Cli>Editor Find + Replace\u003C\u002Fli>\n\u003Cli>Editor Syntax highlighting\u003C\u002Fli>\n\u003Cli>Editor Highlight Matching Parentheses\u003C\u002Fli>\n\u003Cli>Editor Automatic Indentation + Code Folding\u003C\u002Fli>\n\u003Cli>Editor keyboard commands \u002F shortcuts\u003C\u002Fli>\n\u003Cli>Tabbed interface for editing multiple files\u003C\u002Fli>\n\u003Cli>WordPress and PHP code auto-completion\u003C\u002Fli>\n\u003Cli>PHP code parsing and validation\u003C\u002Fli>\n\u003Cli>PHP file backup before saving\u003C\u002Fli>\n\u003Cli>File Recovery Wizard\u003C\u002Fli>\n\u003Cli>Using WordPress filesystem API\u003C\u002Fli>\n\u003Cli>Beautiful Image Gallery\u003C\u002Fli>\n\u003Cli>Video \u002F Audio Media Player\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>\u003Ca href=\"https:\u002F\u002Fwpide.com\" rel=\"nofollow ugc\">👉 \u003Cstrong>WPIDE PRO\u003C\u002Fstrong>\u003C\u002Fa>\u003C\u002Fh3>\n\u003Ch3>⭐️ PRO FEATURES\u003C\u002Fh3>\n\u003Ch4>File Editor\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Auto Save\u003C\u002Fstrong> Feature: While editing, files will be auto saved every X seconds to a draft file. Original files are not affected. If you ever close the page by mistake without saving a file, you will be able to restore from the auto saved file.\u003C\u002Fli>\n\u003Cli>Auto Saved \u003Cstrong>Quick Diff\u003C\u002Fstrong>: You can view and compare differences between the auto saved and the current file using the Quick Diff Viewer, then decide if you wish to restore from the auto saved or keep the current file.\u003C\u002Fli>\n\u003Cli>Toggle \u003Cstrong>Full Screen\u003C\u002Fstrong>: This will allow you to toggle full screen the editor area by itself, giving you more space while editing on smaller screens.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>File Manager\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Advanced Mode Option: When enabled, all files and folders will be available for editing including \u003Cstrong>core WordPress files\u003C\u002Fstrong> and the \u003Cstrong>wp-config.php\u003C\u002Fstrong> file.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Config Manager\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>View all defined constants within wp-config.php\u003C\u002Fli>\n\u003Cli>Add \u002F Update \u002F Remove constants\u003C\u002Fli>\n\u003Cli>Prevent Duplicated Constants\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Advanced Image Editor\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Resize \u002F Crop Images\u003C\u002Fli>\n\u003Cli>Apply filters\u003C\u002Fli>\n\u003Cli>Add Frames \u002F Corners\u003C\u002Fli>\n\u003Cli>Add Text \u002F Stickers\u003C\u002Fli>\n\u003Cli>Add Patterns \u002F Gradients\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Database Manager\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>View Tables\u003C\u002Fli>\n\u003Cli>Create New Tables\u003C\u002Fli>\n\u003Cli>Add \u002F Update \u002F Delete Rows\u003C\u002Fli>\n\u003Cli>Update Table Structure\u003C\u002Fli>\n\u003Cli>Update Column Indexes\u003C\u002Fli>\n\u003Cli>Safe Editing Enabled\u003C\u002Fli>\n\u003C\u002Ful>\n","WPIDE is a powerful file manager and code editor for WordPress with tabs, code completion, and full access to the entire wp-content folder.",40000,902731,96,287,"2026-04-14T21:47:00.000Z","5.0","7.4.0",[153,154,155,156,4],"code-editor","file-editor","file-manager","plugin-editor","https:\u002F\u002Fwpide.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpide.3.5.5.zip",95,4,"2024-10-14 10:52:09",{"slug":163,"name":164,"version":165,"author":166,"author_profile":167,"description":168,"short_description":169,"active_installs":170,"downloaded":171,"rating":172,"num_ratings":28,"last_updated":173,"tested_up_to":174,"requires_at_least":96,"requires_php":175,"tags":176,"homepage":181,"download_link":182,"security_score":183,"vuln_count":74,"unpatched_count":74,"last_vuln_date":38,"fetched_at":30},"disable-theme-and-plugin-editor","Disable Theme and Plugin Editor","1.1","Farzad Sotoode","https:\u002F\u002Fprofiles.wordpress.org\u002Fmaster-farzad\u002F","\u003Cp>Disable Theme and Plugin Editors from WordPress Admin Panel for security reasons\u003C\u002Fp>\n\u003Cp>By default WordPress allows users to edit the theme and plugin codes through the admin panel.\u003Cbr \u002F>\nWhile it is a handy feature, it can be very dangerous as well. This simple plugin can end up locking you out of your site unless ofcourse you have the FTP access.\u003Cbr \u002F>\nTo prevent clients from screwing up the site, it is best to disable the theme and plugin editors from the WordPress admin panel.\u003C\u002Fp>\n","Disable Theme and Plugin Editors from WordPress Admin Panel for security reasons",10,2650,100,"2014-02-03T21:24:00.000Z","3.7.41","",[177,178,179,180],"disable-plugin-editing-in-wp","disable-plugin-editor","disable-theme-editing-in-wp","disable-theme-editor","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fdisable-theme-and-plugin-editor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-theme-and-plugin-editor.1.1.zip",85,{"slug":185,"name":186,"version":187,"author":188,"author_profile":189,"description":190,"short_description":191,"active_installs":170,"downloaded":192,"rating":74,"num_ratings":74,"last_updated":193,"tested_up_to":194,"requires_at_least":195,"requires_php":175,"tags":196,"homepage":198,"download_link":199,"security_score":183,"vuln_count":74,"unpatched_count":74,"last_vuln_date":38,"fetched_at":200},"enable-theme-and-plugin-editor","Enable Theme and Plugin Editor (WPMU)","0.1","Sergey Biryukov","https:\u002F\u002Fprofiles.wordpress.org\u002Fsergeybiryukov\u002F","\u003Cp>\u003Cstrong>WordPress Multisite (3.0+) already comes with theme and plugin editor enabled by default. This plugin is available for reference only.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Allows to enable theme and plugin editor for site administrator in WordPress MU.\u003Cbr \u002F>\nRequires Site Admin capabilities, not just blog administrator.\u003C\u002Fp>\n\u003Cp>Based on the \u003Ca href=\"http:\u002F\u002Fwww.clickonf5.org\u002Fwordpress-mu\u002Fenable-theme-plugin-editor-wordpress-mu\u002F5790\" rel=\"nofollow ugc\">non-plugin solution\u003C\u002Fa> by Sanjeev Mishra.\u003C\u002Fp>\n","Allows to enable theme and plugin editor for site administrator in WordPress MU.",5733,"2010-11-22T05:49:00.000Z","2.9.2","2.7",[156,4,197],"wpmu","http:\u002F\u002Fuplift.ru\u002Fprojects\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fenable-theme-and-plugin-editor.0.1.zip","2026-03-15T14:54:45.397Z",{"slug":202,"name":203,"version":204,"author":205,"author_profile":206,"description":207,"short_description":208,"active_installs":209,"downloaded":210,"rating":211,"num_ratings":212,"last_updated":213,"tested_up_to":16,"requires_at_least":214,"requires_php":215,"tags":216,"homepage":221,"download_link":222,"security_score":172,"vuln_count":74,"unpatched_count":74,"last_vuln_date":38,"fetched_at":30},"so-css","SiteOrigin CSS","1.6.5","Greg - SiteOrigin","https:\u002F\u002Fprofiles.wordpress.org\u002Fgpriday\u002F","\u003Cp>SiteOrigin CSS is the intuitive and powerful CSS editor designed to empower your WordPress site customization. Enjoy a seamless editing experience with real-time visual controls, making it easy to tweak your site’s look and feel instantly. Whether you’re a beginner or an advanced developer, SiteOrigin CSS has you covered.\u003C\u002Fp>\n\u003Cp>For beginners, our user-friendly visual controls and live previews eliminate the guesswork from CSS editing. See your changes as you make them, ensuring your site looks exactly as you envision. For advanced users, we offer robust code autocompletion, speeding up your workflow and making CSS writing faster and more efficient than ever before. Take full control of your site’s design with SiteOrigin CSS and bring your creative vision to life.\u003C\u002Fp>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F129660380\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n\u003Ch4>Inspector\u003C\u002Fh4>\n\u003Cp>The hardest part of editing your site’s design using CSS is usually finding the correct selector to use. The powerful inspector that comes with SiteOrigin CSS makes this easy. While viewing a full preview of your site, just click on an element, and it’ll help you identify the best selector to use to target that element.\u003C\u002Fp>\n\u003Cp>The inspector will help you even if you have no idea what a CSS selector is.\u003C\u002Fp>\n\u003Ch4>Visual Editor\u003C\u002Fh4>\n\u003Cp>Don’t like playing around with code? No problem. SiteOrigin CSS has a set of simple controls that make it easy to choose colors, styles, and measurements. Combined with the inspector, you’ll be able to make changes in just a few clicks.\u003C\u002Fp>\n\u003Ch4>CSS Editor\u003C\u002Fh4>\n\u003Cp>SiteOrigin CSS has a powerful CSS editor, the likes of which you’d usually only expect from high-end IDEs. It has autocompletion for both CSS selectors and attributes. It also features very useful CSS linting to help you identify issues in your code before you publish your changes.\u003C\u002Fp>\n\u003Ch4>It’s Free\u003C\u002Fh4>\n\u003Cp>We’re committed to keeping SiteOrigin CSS free. You can install it on as many sites as you like without ever worrying about licensing. All future updates and upgrades will be free, and we even offer free support over on our friendly support forums.\u003C\u002Fp>\n\u003Ch4>Works With Any Theme\u003C\u002Fh4>\n\u003Cp>There’s an ever-growing collection of awesome WordPress themes, and now with SiteOrigin CSS, you can edit every single one of them to your heart’s content. No matter what theme you’re using, SiteOrigin CSS will work perfectly.\u003C\u002Fp>\n\u003Ch4>Actively Developed\u003C\u002Fh4>\n\u003Cp>We’re actively developing SiteOrigin CSS. Keep track of what’s happening over on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsiteorigin\u002Fso-css\u002F\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Documentation\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsiteorigin.com\u002Fcss\u002Fgetting-started\u002F\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa> is available on SiteOrigin.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>Free support is available on the \u003Ca href=\"https:\u002F\u002Fsiteorigin.com\u002Fthread\u002F\" rel=\"nofollow ugc\">SiteOrigin support forums\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>SiteOrigin Premium\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsiteorigin.com\u002Fdownloads\u002Fpremium\u002F\" rel=\"nofollow ugc\">SiteOrigin Premium\u003C\u002Fa> enhances SiteOrigin CSS with a Google Web Font Selector. Choose from hundreds of beautiful web fonts right in the visual editor.\u003C\u002Fp>\n\u003Cp>SiteOrigin Premium includes access to our professional email support service, perfect for those times when you need fast and effective technical support. We’re standing by to assist you in any way we can.\u003C\u002Fp>\n","Powerful, simple CSS editing for WordPress. Visual controls & real-time previews for effortless site customization.",100000,5900208,98,152,"2025-12-06T20:31:00.000Z","3.9","7.0.0",[217,218,4,219,220],"css-editor","live-editing","visual-css","website-styling","https:\u002F\u002Fsiteorigin.com\u002Fcss\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fso-css.1.6.5.zip",{"slug":224,"name":225,"version":226,"author":227,"author_profile":228,"description":229,"short_description":230,"active_installs":231,"downloaded":232,"rating":233,"num_ratings":159,"last_updated":234,"tested_up_to":16,"requires_at_least":214,"requires_php":175,"tags":235,"homepage":238,"download_link":239,"security_score":240,"vuln_count":170,"unpatched_count":74,"last_vuln_date":241,"fetched_at":30},"wp-editor","WP Editor","1.2.9.3","benjaminprojas","https:\u002F\u002Fprofiles.wordpress.org\u002Fbenjaminprojas\u002F","\u003Cp>WP Editor is a plugin for WordPress that replaces the default plugin and theme editors as well as the page\u002Fpost editor. Using integrations with CodeMirror and FancyBox to create a feature rich environment, WP Editor completely reworks the default WordPress file editing capabilities. Using Asynchronous Javascript and XML (AJAX) to retrieve files and folders, WP Editor sets a new standard for speed and reliability in a web-based editing atmosphere.\u003C\u002Fp>\n\u003Ch4>Features:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>CodeMirror\u003C\u002Fli>\n\u003Cli>Active Line Highlighting\u003C\u002Fli>\n\u003Cli>Line Numbers\u003C\u002Fli>\n\u003Cli>Line Wrapping\u003C\u002Fli>\n\u003Cli>Eight Editor Themes with Syntax Highlighting\u003C\u002Fli>\n\u003Cli>Fullscreen Editing (ESC, F11)\u003C\u002Fli>\n\u003Cli>Text Search (CMD + F, CTRL + F)\u003C\u002Fli>\n\u003Cli>Individual Settings for Each Editor\u003C\u002Fli>\n\u003Cli>FancyBox for image viewing\u003C\u002Fli>\n\u003Cli>AJAX File Browser\u003C\u002Fli>\n\u003Cli>Allowed Extensions List\u003C\u002Fli>\n\u003Cli>Easy to use Settings Section\u003C\u002Fli>\n\u003C\u002Ful>\n","WP Editor is a plugin for WordPress that replaces the default plugin and theme editors as well as the page\u002Fpost editor.",30000,1080551,90,"2026-03-11T18:50:00.000Z",[153,236,156,237,4],"page-editor","post-editor","http:\u002F\u002Fwpeditor.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-editor.1.2.9.3.zip",82,"2026-04-30 00:00:00",{"attackSurface":243,"codeSignals":444,"taintFlows":773,"riskAssessment":1054,"analyzedAt":1067},{"hooks":244,"ajaxHandlers":396,"restRoutes":441,"shortcodes":442,"cronEvents":443,"entryPointCount":348,"unprotectedCount":352},[245,251,254,257,261,265,269,273,277,281,286,289,292,296,298,302,305,309,312,315,318,320,322,326,329,332,335,338,341,346,349,355,359,364,368,372,375,378,383,387,391],{"type":246,"name":247,"callback":248,"file":249,"line":250},"action","admin_menu","theme_editor_menu_page","app\\controller\\controller.php",12,{"type":246,"name":247,"callback":252,"file":249,"line":253},"theme_editor_plugins_page",15,{"type":246,"name":247,"callback":255,"file":249,"line":256},"theme_editor_themes_page",19,{"type":246,"name":258,"callback":259,"priority":28,"file":249,"line":260},"_admin_menu","remove_editor_menu",21,{"type":246,"name":262,"callback":263,"file":249,"line":264},"admin_post_mk_theme_editor_export_te_files","export_te_files",22,{"type":246,"name":266,"callback":267,"file":249,"line":268},"admin_post_mk_theme_editor_download_te_theme","download_te_theme",23,{"type":246,"name":270,"callback":271,"file":249,"line":272},"admin_post_mk_theme_editor_download_te_plugin","download_te_plugin",24,{"type":246,"name":274,"callback":275,"file":249,"line":276},"admin_init","load_custom_scripts_settings",25,{"type":246,"name":247,"callback":278,"priority":279,"file":249,"line":280},"remove_plugin_editor_submenu",999,26,{"type":246,"name":282,"callback":283,"file":284,"line":285},"chld_thm_cfg_admin_notices","writable_notice","includes\\classes\\ms_theme_editor_admin.php",157,{"type":246,"name":282,"callback":287,"file":284,"line":288},"enqueue_notice",167,{"type":246,"name":282,"callback":290,"file":284,"line":291},"owner_notice",172,{"type":246,"name":293,"callback":294,"file":284,"line":295},"chld_thm_cfg_cache_updates","cache_debug",183,{"type":246,"name":293,"callback":294,"file":284,"line":297},215,{"type":246,"name":299,"callback":300,"file":284,"line":301},"chld_thm_cfg_parse_stylesheets","parse_child_stylesheet_to_target",390,{"type":246,"name":299,"callback":303,"file":284,"line":304},"parse_parent_stylesheet_to_source",424,{"type":246,"name":306,"callback":307,"file":284,"line":308},"chld_thm_cfg_addl_options","network_enable",428,{"type":246,"name":299,"callback":310,"file":284,"line":311},"parse_additional_stylesheets_to_source",431,{"type":246,"name":299,"callback":313,"file":284,"line":314},"parse_child_stylesheet_to_source",435,{"type":246,"name":299,"callback":316,"file":284,"line":317},"parse_custom_stylesheet_to_target",437,{"type":246,"name":299,"callback":300,"file":284,"line":319},440,{"type":246,"name":299,"callback":316,"file":284,"line":321},443,{"type":246,"name":323,"callback":324,"priority":170,"file":284,"line":325},"chld_thm_cfg_addl_files","add_base_files",448,{"type":246,"name":323,"callback":327,"priority":170,"file":284,"line":328},"copy_screenshot",449,{"type":246,"name":323,"callback":330,"priority":253,"file":284,"line":331},"enqueue_parent_css",450,{"type":246,"name":323,"callback":333,"file":284,"line":334},"repair_header",452,{"type":246,"name":247,"callback":336,"file":337,"line":250},"ms_theme_editor_controller::admin","includes\\classes\\ms_theme_editor_controller.php",{"type":246,"name":323,"callback":330,"priority":253,"file":339,"line":340},"includes\\classes\\ms_theme_editor_css.php",954,{"type":246,"name":342,"callback":343,"priority":344,"file":345,"line":250},"admin_enqueue_scripts","enqueue_scripts",99,"includes\\classes\\ms_theme_editor_ui.php",{"type":246,"name":347,"callback":347,"file":345,"line":348},"all_admin_notices",13,{"type":246,"name":350,"callback":351,"priority":352,"file":353,"line":354},"plugins_loaded","ms_theme_editor_controller::init",5,"ms_child_theme_editor.php",42,{"type":246,"name":356,"callback":357,"file":353,"line":358},"setup_theme","ms_switch_theme",48,{"type":360,"name":361,"callback":361,"priority":362,"file":353,"line":363},"filter","wp_redirect_status",1000,49,{"type":360,"name":365,"callback":366,"file":353,"line":367},"template","ms_get_template",68,{"type":360,"name":369,"callback":370,"file":353,"line":371},"stylesheet","ms_get_stylesheet",69,{"type":360,"name":373,"callback":370,"file":353,"line":374},"pre_option_stylesheet",70,{"type":360,"name":376,"callback":366,"file":353,"line":377},"pre_option_template",71,{"type":246,"name":379,"callback":380,"priority":381,"file":353,"line":382},"wp_print_styles","ms_style_css",999999,74,{"type":246,"name":384,"callback":385,"file":353,"line":386},"wp_footer","ms_convert_stylesheet_parse",75,{"type":360,"name":388,"callback":389,"priority":170,"file":353,"line":390},"style_loader_src","ms_theme_editor_src",260,{"type":246,"name":392,"callback":393,"file":394,"line":395},"init","theme_editor_load_text_domain","theme_editor.php",36,[397,400,406,410,413,417,420,423,426,429,432,435,438],{"action":398,"nopriv":49,"callback":398,"hasNonce":49,"hasCapCheck":49,"file":249,"line":399},"mk_te_close_te_help",34,{"action":401,"nopriv":49,"callback":402,"hasNonce":403,"hasCapCheck":49,"file":404,"line":405},"mk_theme_editor_verify_email","mk_theme_editor_verify_email_callback",true,"app\\model\\model.php",29,{"action":407,"nopriv":49,"callback":408,"hasNonce":49,"hasCapCheck":49,"file":404,"line":409},"verify_theme_editor_email","verify_theme_editor_email_callback",30,{"action":411,"nopriv":49,"callback":412,"hasNonce":49,"hasCapCheck":49,"file":337,"line":348},"ms_update","ms_theme_editor_controller::save",{"action":414,"nopriv":49,"callback":415,"hasNonce":49,"hasCapCheck":49,"file":337,"line":416},"ms_query","ms_theme_editor_controller::query",14,{"action":418,"nopriv":49,"callback":419,"hasNonce":49,"hasCapCheck":49,"file":337,"line":253},"ms_theme_summary","ms_theme_editor_controller::ms_theme_summary",{"action":421,"nopriv":49,"callback":421,"hasNonce":403,"hasCapCheck":403,"file":353,"line":422},"mk_theme_editor_file_move",271,{"action":424,"nopriv":49,"callback":424,"hasNonce":403,"hasCapCheck":403,"file":353,"line":425},"mk_theme_editor_child_file_delete",337,{"action":427,"nopriv":49,"callback":427,"hasNonce":403,"hasCapCheck":403,"file":353,"line":428},"webphoto_upload",366,{"action":430,"nopriv":49,"callback":430,"hasNonce":403,"hasCapCheck":403,"file":353,"line":431},"screenshot_upload",429,{"action":433,"nopriv":49,"callback":433,"hasNonce":403,"hasCapCheck":403,"file":353,"line":434},"mk_theme_editor_delete_images",495,{"action":436,"nopriv":49,"callback":436,"hasNonce":403,"hasCapCheck":403,"file":353,"line":437},"ms_new_directory",527,{"action":439,"nopriv":49,"callback":439,"hasNonce":403,"hasCapCheck":403,"file":353,"line":440},"ms_new_file",560,[],[],[],{"dangerousFunctions":445,"sqlUsage":446,"outputEscaping":448,"fileOperations":771,"externalRequests":662,"nonceChecks":260,"capabilityChecks":409,"bundledLibraries":772},[],{"prepared":74,"raw":74,"locations":447},[],{"escaped":449,"rawEcho":450,"locations":451},111,194,[452,455,457,459,461,463,465,467,469,471,473,475,477,479,482,484,487,489,490,492,494,496,497,498,500,502,503,504,505,506,507,508,509,510,511,513,515,516,517,519,521,522,523,524,525,526,528,529,531,533,535,537,539,541,542,544,546,548,550,552,554,556,558,559,560,562,563,565,567,568,569,571,573,574,575,576,577,578,579,580,581,582,584,585,587,588,589,591,593,594,595,597,599,600,601,602,603,604,606,608,610,612,614,616,618,620,621,622,624,626,628,630,632,634,635,638,640,641,643,646,647,648,649,651,654,655,658,660,663,664,665,667,669,672,674,675,676,677,679,680,681,682,683,684,685,686,687,689,690,692,694,696,698,700,702,703,705,707,709,711,712,714,715,717,719,720,721,722,723,725,727,729,730,731,733,735,736,738,740,742,744,746,748,750,751,753,755,757,759,761,763,765,767,769],{"file":249,"line":453,"context":454},169,"raw output",{"file":249,"line":456,"context":454},171,{"file":249,"line":458,"context":454},198,{"file":460,"line":328,"context":454},"app\\controller\\theme_controller.php",{"file":404,"line":462,"context":454},189,{"file":404,"line":464,"context":454},248,{"file":404,"line":466,"context":454},308,{"file":404,"line":468,"context":454},324,{"file":404,"line":470,"context":454},356,{"file":404,"line":472,"context":454},387,{"file":404,"line":474,"context":454},416,{"file":404,"line":476,"context":454},463,{"file":404,"line":478,"context":454},525,{"file":480,"line":481,"context":454},"app\\view\\notify.php",53,{"file":483,"line":481,"context":454},"app\\view\\permissions.php",{"file":485,"line":486,"context":454},"app\\view\\plugin_editor.php",7,{"file":485,"line":488,"context":454},31,{"file":485,"line":399,"context":454},{"file":485,"line":491,"context":454},38,{"file":485,"line":493,"context":454},41,{"file":485,"line":495,"context":454},62,{"file":485,"line":495,"context":454},{"file":485,"line":495,"context":454},{"file":485,"line":499,"context":454},77,{"file":485,"line":501,"context":454},91,{"file":485,"line":501,"context":454},{"file":485,"line":501,"context":454},{"file":485,"line":501,"context":454},{"file":485,"line":501,"context":454},{"file":485,"line":13,"context":454},{"file":485,"line":211,"context":454},{"file":485,"line":344,"context":454},{"file":485,"line":344,"context":454},{"file":485,"line":344,"context":454},{"file":485,"line":512,"context":454},104,{"file":485,"line":514,"context":454},105,{"file":485,"line":514,"context":454},{"file":485,"line":514,"context":454},{"file":485,"line":518,"context":454},108,{"file":485,"line":520,"context":454},109,{"file":485,"line":520,"context":454},{"file":485,"line":520,"context":454},{"file":485,"line":520,"context":454},{"file":485,"line":520,"context":454},{"file":485,"line":520,"context":454},{"file":485,"line":527,"context":454},126,{"file":485,"line":14,"context":454},{"file":485,"line":530,"context":454},128,{"file":485,"line":532,"context":454},130,{"file":485,"line":534,"context":454},131,{"file":485,"line":536,"context":454},154,{"file":485,"line":538,"context":454},155,{"file":485,"line":540,"context":454},156,{"file":485,"line":285,"context":454},{"file":485,"line":543,"context":454},168,{"file":485,"line":545,"context":454},170,{"file":485,"line":547,"context":454},191,{"file":485,"line":549,"context":454},201,{"file":485,"line":551,"context":454},216,{"file":485,"line":553,"context":454},240,{"file":485,"line":555,"context":454},268,{"file":557,"line":170,"context":454},"app\\view\\settings.php",{"file":557,"line":377,"context":454},{"file":557,"line":377,"context":454},{"file":557,"line":561,"context":454},73,{"file":557,"line":561,"context":454},{"file":564,"line":27,"context":454},"app\\view\\theme_editor.php",{"file":564,"line":566,"context":454},28,{"file":564,"line":409,"context":454},{"file":564,"line":399,"context":454},{"file":564,"line":570,"context":454},37,{"file":564,"line":572,"context":454},55,{"file":564,"line":374,"context":454},{"file":564,"line":374,"context":454},{"file":564,"line":374,"context":454},{"file":564,"line":501,"context":454},{"file":564,"line":514,"context":454},{"file":564,"line":514,"context":454},{"file":564,"line":514,"context":454},{"file":564,"line":514,"context":454},{"file":564,"line":514,"context":454},{"file":564,"line":583,"context":454},106,{"file":564,"line":449,"context":454},{"file":564,"line":586,"context":454},112,{"file":564,"line":586,"context":454},{"file":564,"line":586,"context":454},{"file":564,"line":590,"context":454},117,{"file":564,"line":592,"context":454},118,{"file":564,"line":592,"context":454},{"file":564,"line":592,"context":454},{"file":564,"line":596,"context":454},121,{"file":564,"line":598,"context":454},122,{"file":564,"line":598,"context":454},{"file":564,"line":598,"context":454},{"file":564,"line":598,"context":454},{"file":564,"line":598,"context":454},{"file":564,"line":598,"context":454},{"file":564,"line":605,"context":454},141,{"file":564,"line":607,"context":454},142,{"file":564,"line":609,"context":454},143,{"file":564,"line":611,"context":454},146,{"file":564,"line":613,"context":454},176,{"file":564,"line":615,"context":454},177,{"file":564,"line":617,"context":454},178,{"file":564,"line":619,"context":454},179,{"file":564,"line":462,"context":454},{"file":564,"line":547,"context":454},{"file":564,"line":623,"context":454},212,{"file":564,"line":625,"context":454},222,{"file":564,"line":627,"context":454},237,{"file":564,"line":629,"context":454},262,{"file":564,"line":631,"context":454},290,{"file":337,"line":633,"context":454},47,{"file":345,"line":493,"context":454},{"file":636,"line":637,"context":454},"includes\\forms\\ms-child_theme_permission_control.php",54,{"file":636,"line":639,"context":454},63,{"file":636,"line":26,"context":454},{"file":636,"line":642,"context":454},65,{"file":644,"line":645,"context":454},"includes\\forms\\ms-main.php",16,{"file":644,"line":256,"context":454},{"file":644,"line":256,"context":454},{"file":644,"line":367,"context":454},{"file":644,"line":650,"context":454},80,{"file":652,"line":653,"context":454},"includes\\forms\\ms-parent-child.php",206,{"file":652,"line":653,"context":454},{"file":656,"line":657,"context":454},"includes\\forms\\ms-query-selector.php",11,{"file":659,"line":13,"context":454},"includes\\forms\\ms-settings-errors.php",{"file":661,"line":662,"context":454},"includes\\forms\\ms-theme-menu.php",2,{"file":661,"line":662,"context":454},{"file":661,"line":486,"context":454},{"file":666,"line":486,"context":454},"includes\\forms\\ms-webfonts.php",{"file":668,"line":170,"context":454},"includes\\forms\\ms_child_style.php",{"file":670,"line":671,"context":454},"includes\\forms\\ms_child_thme_image.php",56,{"file":670,"line":673,"context":454},59,{"file":670,"line":495,"context":454},{"file":670,"line":639,"context":454},{"file":670,"line":377,"context":454},{"file":670,"line":678,"context":454},103,{"file":670,"line":678,"context":454},{"file":670,"line":590,"context":454},{"file":670,"line":590,"context":454},{"file":670,"line":590,"context":454},{"file":670,"line":596,"context":454},{"file":670,"line":598,"context":454},{"file":670,"line":598,"context":454},{"file":670,"line":609,"context":454},{"file":670,"line":688,"context":454},148,{"file":670,"line":625,"context":454},{"file":670,"line":691,"context":454},226,{"file":670,"line":693,"context":454},227,{"file":670,"line":695,"context":454},228,{"file":670,"line":697,"context":454},250,{"file":699,"line":639,"context":454},"includes\\forms\\ms_files.php",{"file":699,"line":701,"context":454},72,{"file":699,"line":183,"context":454},{"file":699,"line":704,"context":454},115,{"file":699,"line":706,"context":454},133,{"file":699,"line":708,"context":454},192,{"file":699,"line":710,"context":454},195,{"file":699,"line":458,"context":454},{"file":699,"line":713,"context":454},199,{"file":699,"line":297,"context":454},{"file":699,"line":716,"context":454},218,{"file":699,"line":718,"context":454},221,{"file":699,"line":625,"context":454},{"file":699,"line":627,"context":454},{"file":699,"line":627,"context":454},{"file":699,"line":627,"context":454},{"file":699,"line":724,"context":454},280,{"file":699,"line":726,"context":454},283,{"file":699,"line":728,"context":454},323,{"file":699,"line":728,"context":454},{"file":699,"line":728,"context":454},{"file":699,"line":732,"context":454},325,{"file":699,"line":734,"context":454},353,{"file":699,"line":470,"context":454},{"file":699,"line":737,"context":454},358,{"file":699,"line":739,"context":454},359,{"file":699,"line":741,"context":454},391,{"file":699,"line":743,"context":454},395,{"file":699,"line":745,"context":454},396,{"file":699,"line":747,"context":454},397,{"file":699,"line":749,"context":454},425,{"file":699,"line":476,"context":454},{"file":699,"line":752,"context":454},490,{"file":699,"line":754,"context":454},516,{"file":756,"line":657,"context":454},"includes\\forms\\ms_parent_style.php",{"file":353,"line":758,"context":454},123,{"file":353,"line":760,"context":454},149,{"file":353,"line":762,"context":454},173,{"file":353,"line":764,"context":454},318,{"file":353,"line":766,"context":454},320,{"file":353,"line":768,"context":454},423,{"file":353,"line":770,"context":454},478,52,[],[774,790,813,828,871,887,899,913,933,946,957,965,973,984,994,1004,1012,1021,1030,1040],{"entryPoint":775,"graph":776,"unsanitizedCount":28,"severity":40},"te_get_theme_data (app\\controller\\theme_controller.php:19)",{"nodes":777,"edges":788},[778,782],{"id":779,"type":780,"label":781,"file":460,"line":488},"n0","source","$_REQUEST",{"id":783,"type":784,"label":785,"file":460,"line":786,"wp_function":787},"n1","sink","file_get_contents() [SSRF\u002FLFI]",87,"file_get_contents",[789],{"from":779,"to":783,"sanitized":49},{"entryPoint":791,"graph":792,"unsanitizedCount":28,"severity":40},"mk_theme_editor_folder_open (app\\model\\model.php:192)",{"nodes":793,"edges":809},[794,797,800,802,806],{"id":779,"type":780,"label":795,"file":404,"line":796},"$_POST",196,{"id":783,"type":784,"label":798,"file":404,"line":464,"wp_function":799},"echo() [XSS]","echo",{"id":801,"type":780,"label":795,"file":404,"line":549},"n2",{"id":803,"type":804,"label":805,"file":404,"line":549},"n3","transform","→ get_files_and_folders()",{"id":807,"type":784,"label":785,"file":460,"line":808,"wp_function":787},"n4",247,[810,811,812],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":49},{"from":803,"to":807,"sanitized":49},{"entryPoint":814,"graph":815,"unsanitizedCount":28,"severity":40},"mk_plugin_editor_folder_open (app\\model\\model.php:253)",{"nodes":816,"edges":824},[817,819,820,822,823],{"id":779,"type":780,"label":795,"file":404,"line":818},256,{"id":783,"type":784,"label":798,"file":404,"line":466,"wp_function":799},{"id":801,"type":780,"label":795,"file":404,"line":821},261,{"id":803,"type":804,"label":805,"file":404,"line":821},{"id":807,"type":784,"label":785,"file":460,"line":808,"wp_function":787},[825,826,827],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":49},{"from":803,"to":807,"sanitized":49},{"entryPoint":829,"graph":830,"unsanitizedCount":662,"severity":40},"\u003Cmodel> (app\\model\\model.php:0)",{"nodes":831,"edges":863},[832,835,838,841,842,843,847,849,851,855,857,859,861],{"id":779,"type":780,"label":833,"file":404,"line":834},"$_POST (x3)",40,{"id":783,"type":784,"label":836,"file":404,"line":363,"wp_function":837},"update_option() [Settings Manipulation]","update_option",{"id":801,"type":780,"label":839,"file":404,"line":840},"$_POST (x2)",158,{"id":803,"type":784,"label":785,"file":404,"line":543,"wp_function":787},{"id":807,"type":780,"label":839,"file":404,"line":840},{"id":844,"type":784,"label":845,"file":404,"line":291,"wp_function":846},"n5","fopen() [File Access]","fopen",{"id":848,"type":780,"label":839,"file":404,"line":796},"n6",{"id":850,"type":784,"label":798,"file":404,"line":464,"wp_function":799},"n7",{"id":852,"type":780,"label":853,"file":404,"line":854},"n8","$_FILES",509,{"id":856,"type":784,"label":798,"file":404,"line":478,"wp_function":799},"n9",{"id":858,"type":780,"label":839,"file":404,"line":549},"n10",{"id":860,"type":804,"label":805,"file":404,"line":549},"n11",{"id":862,"type":784,"label":785,"file":460,"line":808,"wp_function":787},"n12",[864,865,866,867,868,869,870],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":403},{"from":807,"to":844,"sanitized":403},{"from":848,"to":850,"sanitized":403},{"from":852,"to":856,"sanitized":403},{"from":858,"to":860,"sanitized":49},{"from":860,"to":862,"sanitized":49},{"entryPoint":872,"graph":873,"unsanitizedCount":74,"severity":886},"export_te_files (app\\controller\\controller.php:104)",{"nodes":874,"edges":883},[875,877,879],{"id":779,"type":780,"label":876,"file":249,"line":704},"$_GET",{"id":783,"type":804,"label":878,"file":249,"line":704},"→ download_file()",{"id":801,"type":784,"label":880,"file":460,"line":881,"wp_function":882},"header() [Header Injection]",340,"header",[884,885],{"from":779,"to":783,"sanitized":49},{"from":783,"to":801,"sanitized":403},"low",{"entryPoint":888,"graph":889,"unsanitizedCount":74,"severity":886},"download_te_theme (app\\controller\\controller.php:123)",{"nodes":890,"edges":896},[891,892,894],{"id":779,"type":780,"label":876,"file":249,"line":534},{"id":783,"type":804,"label":893,"file":249,"line":534},"→ download_theme()",{"id":801,"type":784,"label":880,"file":460,"line":895,"wp_function":882},393,[897,898],{"from":779,"to":783,"sanitized":49},{"from":783,"to":801,"sanitized":403},{"entryPoint":900,"graph":901,"unsanitizedCount":74,"severity":886},"download_te_plugin (app\\controller\\controller.php:136)",{"nodes":902,"edges":910},[903,905,907],{"id":779,"type":780,"label":876,"file":249,"line":904},144,{"id":783,"type":804,"label":906,"file":249,"line":904},"→ download_plugin()",{"id":801,"type":784,"label":880,"file":908,"line":909,"wp_function":882},"app\\controller\\plugin_controller.php",101,[911,912],{"from":779,"to":783,"sanitized":49},{"from":783,"to":801,"sanitized":403},{"entryPoint":914,"graph":915,"unsanitizedCount":74,"severity":886},"\u003Ccontroller> (app\\controller\\controller.php:0)",{"nodes":916,"edges":926},[917,918,919,920,921,922,923,924,925],{"id":779,"type":780,"label":876,"file":249,"line":704},{"id":783,"type":804,"label":878,"file":249,"line":704},{"id":801,"type":784,"label":880,"file":460,"line":881,"wp_function":882},{"id":803,"type":780,"label":876,"file":249,"line":534},{"id":807,"type":804,"label":893,"file":249,"line":534},{"id":844,"type":784,"label":880,"file":460,"line":895,"wp_function":882},{"id":848,"type":780,"label":876,"file":249,"line":904},{"id":850,"type":804,"label":906,"file":249,"line":904},{"id":852,"type":784,"label":880,"file":908,"line":909,"wp_function":882},[927,928,929,930,931,932],{"from":779,"to":783,"sanitized":49},{"from":783,"to":801,"sanitized":403},{"from":803,"to":807,"sanitized":49},{"from":807,"to":844,"sanitized":403},{"from":848,"to":850,"sanitized":49},{"from":850,"to":852,"sanitized":403},{"entryPoint":934,"graph":935,"unsanitizedCount":74,"severity":886},"te_get_plugin_data (app\\controller\\plugin_controller.php:7)",{"nodes":936,"edges":943},[937,939,940,941],{"id":779,"type":780,"label":938,"file":908,"line":264},"$_REQUEST (x2)",{"id":783,"type":784,"label":785,"file":908,"line":481,"wp_function":787},{"id":801,"type":780,"label":781,"file":908,"line":264},{"id":803,"type":784,"label":845,"file":908,"line":942,"wp_function":846},57,[944,945],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":403},{"entryPoint":947,"graph":948,"unsanitizedCount":74,"severity":886},"\u003Cplugin_controller> (app\\controller\\plugin_controller.php:0)",{"nodes":949,"edges":954},[950,951,952,953],{"id":779,"type":780,"label":938,"file":908,"line":264},{"id":783,"type":784,"label":785,"file":908,"line":481,"wp_function":787},{"id":801,"type":780,"label":781,"file":908,"line":264},{"id":803,"type":784,"label":845,"file":908,"line":942,"wp_function":846},[955,956],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":403},{"entryPoint":958,"graph":959,"unsanitizedCount":74,"severity":886},"\u003Ctheme_controller> (app\\controller\\theme_controller.php:0)",{"nodes":960,"edges":963},[961,962],{"id":779,"type":780,"label":781,"file":460,"line":488},{"id":783,"type":784,"label":785,"file":460,"line":786,"wp_function":787},[964],{"from":779,"to":783,"sanitized":403},{"entryPoint":966,"graph":967,"unsanitizedCount":74,"severity":886},"mk_theme_editor_verify_email_callback (app\\model\\model.php:35)",{"nodes":968,"edges":971},[969,970],{"id":779,"type":780,"label":833,"file":404,"line":834},{"id":783,"type":784,"label":836,"file":404,"line":363,"wp_function":837},[972],{"from":779,"to":783,"sanitized":403},{"entryPoint":974,"graph":975,"unsanitizedCount":74,"severity":886},"mk_theme_editor_theme_files (app\\model\\model.php:154)",{"nodes":976,"edges":981},[977,978,979,980],{"id":779,"type":780,"label":795,"file":404,"line":840},{"id":783,"type":784,"label":785,"file":404,"line":543,"wp_function":787},{"id":801,"type":780,"label":795,"file":404,"line":840},{"id":803,"type":784,"label":845,"file":404,"line":291,"wp_function":846},[982,983],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":403},{"entryPoint":985,"graph":986,"unsanitizedCount":74,"severity":886},"mk_theme_editor_file_open (app\\model\\model.php:312)",{"nodes":987,"edges":992},[988,990],{"id":779,"type":780,"label":795,"file":404,"line":989},315,{"id":783,"type":784,"label":785,"file":404,"line":991,"wp_function":787},321,[993],{"from":779,"to":783,"sanitized":403},{"entryPoint":995,"graph":996,"unsanitizedCount":74,"severity":886},"mk_theme_editor_file_create (app\\model\\model.php:360)",{"nodes":997,"edges":1002},[998,1000],{"id":779,"type":780,"label":795,"file":404,"line":999},364,{"id":783,"type":784,"label":845,"file":404,"line":1001,"wp_function":846},371,[1003],{"from":779,"to":783,"sanitized":403},{"entryPoint":1005,"graph":1006,"unsanitizedCount":74,"severity":886},"mk_theme_editor_file_upload (app\\model\\model.php:466)",{"nodes":1007,"edges":1010},[1008,1009],{"id":779,"type":780,"label":853,"file":404,"line":854},{"id":783,"type":784,"label":798,"file":404,"line":478,"wp_function":799},[1011],{"from":779,"to":783,"sanitized":403},{"entryPoint":1013,"graph":1014,"unsanitizedCount":74,"severity":886},"mk_theme_editor_file_move (ms_child_theme_editor.php:274)",{"nodes":1015,"edges":1019},[1016,1018],{"id":779,"type":780,"label":938,"file":353,"line":1017},278,{"id":783,"type":784,"label":798,"file":353,"line":764,"wp_function":799},[1020],{"from":779,"to":783,"sanitized":403},{"entryPoint":1022,"graph":1023,"unsanitizedCount":74,"severity":886},"screenshot_upload (ms_child_theme_editor.php:431)",{"nodes":1024,"edges":1028},[1025,1027],{"id":779,"type":780,"label":853,"file":353,"line":1026},469,{"id":783,"type":784,"label":798,"file":353,"line":770,"wp_function":799},[1029],{"from":779,"to":783,"sanitized":403},{"entryPoint":1031,"graph":1032,"unsanitizedCount":74,"severity":886},"ms_new_file (ms_child_theme_editor.php:562)",{"nodes":1033,"edges":1038},[1034,1036],{"id":779,"type":780,"label":938,"file":353,"line":1035},567,{"id":783,"type":784,"label":845,"file":353,"line":1037,"wp_function":846},583,[1039],{"from":779,"to":783,"sanitized":403},{"entryPoint":1041,"graph":1042,"unsanitizedCount":74,"severity":886},"\u003Cms_child_theme_editor> (ms_child_theme_editor.php:0)",{"nodes":1043,"edges":1050},[1044,1045,1046,1047,1048,1049],{"id":779,"type":780,"label":938,"file":353,"line":1017},{"id":783,"type":784,"label":798,"file":353,"line":764,"wp_function":799},{"id":801,"type":780,"label":853,"file":353,"line":1026},{"id":803,"type":784,"label":798,"file":353,"line":770,"wp_function":799},{"id":807,"type":780,"label":938,"file":353,"line":1035},{"id":844,"type":784,"label":845,"file":353,"line":1037,"wp_function":846},[1051,1052,1053],{"from":779,"to":783,"sanitized":403},{"from":801,"to":803,"sanitized":403},{"from":807,"to":844,"sanitized":403},{"summary":1055,"deductions":1056},"The 'theme-editor' plugin v3.1 presents a mixed security posture. While it demonstrates strengths in areas like using prepared statements for SQL queries and performing a significant number of capability checks, several critical concerns emerge from the static analysis. The presence of 5 unprotected AJAX handlers significantly expands the attack surface, creating potential entry points for unauthorized actions. Furthermore, the taint analysis reveals 4 flows with unsanitized paths, indicating a risk of path traversal vulnerabilities that could lead to unintended file access or modification.\n\nThe plugin's vulnerability history is a significant red flag. With 5 known CVEs, including 4 high-severity and 1 medium-severity, and common vulnerability types like CSRF, deserialization, unrestricted uploads, and path traversal, the historical pattern suggests recurring weaknesses in input validation and access control. The fact that all previous CVEs are now patched is positive, but the frequency and nature of past issues indicate a persistent need for vigilance and robust security practices. The recent vulnerability in October 2025, although patched, reinforces this concern.\n\nIn conclusion, while the plugin has some positive security attributes, the unprotected AJAX handlers, unsanitized path flows, and a history of high-severity vulnerabilities necessitate careful consideration. The attack surface is somewhat exposed, and past issues highlight potential areas for exploitation if similar coding errors are reintroduced. Continuous monitoring and thorough code reviews are essential for this plugin.",[1057,1059,1061,1063,1065],{"reason":1058,"points":170},"Unprotected AJAX handlers (5)",{"reason":1060,"points":250},"Flows with unsanitized paths (4)",{"reason":1062,"points":645},"High severity CVEs in history (4)",{"reason":1064,"points":352},"Medium severity CVEs in history (1)",{"reason":1066,"points":27},"Low output escaping (36%)","2026-03-16T17:18:05.125Z",{"wat":1069,"direct":1075},{"assetPaths":1070,"generatorPatterns":1072,"scriptPaths":1073,"versionParams":1074},[1071],"\u002Fwp-content\u002Fplugins\u002Ftheme-editor\u002Fapp\u002Fview\u002Fimages\u002Fte.svg",[],[],[],{"cssClasses":1076,"htmlComments":1086,"htmlAttributes":1092,"restEndpoints":1098,"jsGlobals":1099,"shortcodeOutput":1101},[1077,1078,1079,1080,1081,1082,1083,1084,1085],"mk-te-file-content","mk-te-file-name","mk-te-file-save","mk-te-file-delete","mk-te-file-rename","mk-te-file-download","mk-te-new-file","mk-te-new-folder","mk-te-editor-wrapper",[1087,1088,1089,1090,1091],"\u003C!-- Theme Editor Settings Page -->","\u003C!-- Theme Editor Permissions Page -->","\u003C!-- Theme Editor Notify Page -->","\u003C!-- Theme Editor Main Page -->","\u003C!-- Plugin Editor Main Page -->",[1093,1094,1095,1096,1097],"data-plugin-slug","data-file-name","data-file-type","data-theme-slug","data-theme-name",[],[1100],"mk_te_file_manager",[],{"error":403,"url":1103,"statusCode":1104,"statusMessage":1105,"message":1105},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Ftheme-editor\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":74,"versions":1107},[]]