Does WP Editor have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Editor have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Editor compatible with WordPress 6.9.4?

According to WordPress.org data, WP Editor 1.2.9.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WP Editor updated?

WP Editor was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is WP Editor's security score?

WP Editor has a WP-Safety security score of 86/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Editor Security & Risk Analysis

wordpress.org/plugins/wp-editor

WP Editor is a plugin for WordPress that replaces the default plugin and theme editors as well as the page/post editor.

30K active installs v1.2.9.3 PHP + WP 3.9+ Updated Mar 11, 2026

code-editorpage-editorplugin-editorpost-editortheme-editor

A · Safe

CVEs total9

Unpatched0

Last CVEApr 16, 2025

Plugin page Download

Safety Verdict

Is WP Editor Safe to Use in 2026?

Generally Safe

Score 86/100

WP Editor has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Apr 16, 2025Updated 23d ago

Risk Assessment

The "wp-editor" plugin, version 1.2.9.3, presents a mixed security posture. While it demonstrates good practices such as 100% prepared SQL statements and a reasonable number of capability checks, significant concerns arise from its attack surface and past vulnerability history. The plugin exposes 4 AJAX handlers without any authentication checks, creating a substantial entry point for unauthorized actions. Furthermore, the presence of two "unserialize" calls, especially in conjunction with a history of "Deserialization of Untrusted Data" vulnerabilities, indicates a potential risk for attackers to exploit logic flaws or gain arbitrary code execution if they can influence the serialized data. The taint analysis shows two flows with unsanitized paths, which, while not rated as critical or high in this specific analysis, are concerning when combined with the lack of authorization on AJAX endpoints.

Key Concerns

4 AJAX handlers without auth checks
2 dangerous functions (unserialize)
2 flows with unsanitized paths
62% of output properly escaped (133 total)
9 known CVEs with past critical/high severity

Vulnerabilities

WP Editor Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

2 CVEs in 2021

2021

3 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

9 total CVEs

CVE-2025-3295medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read

Apr 16, 2025 Patched in 1.2.9.2 (1d)

CVE-2025-3294high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Update

Apr 16, 2025 Patched in 1.2.9.2 (1d)

CVE-2022-2446high · 7.2Deserialization of Untrusted Data

WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization

Sep 12, 2024 Patched in 1.2.9.1 (2d)

CVE-2024-24700medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Editor <= 1.2.8 - Reflected Cross-Site Scripting

Mar 26, 2024 Patched in 1.2.9 (43d)

CVE-2024-25591medium · 5.3Insertion of Sensitive Information into Log File

WP Editor <= 1.2.7 - Sensitive Information Exposure via log file

Feb 12, 2024 Patched in 1.2.8 (3d)

CVE-2021-24151high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Editor <= 1.2.6.3 - Authenticated (Admin+) SQL injection

Feb 1, 2021 Patched in 1.2.7 (1086d)

CVE-2016-10886critical · 9.8Missing Authorization

WP Editor < 1.2.6 - Incorrect Permission Assignment or Protection

Jan 15, 2021 Patched in 1.2.6 (1103d)

CVE-2016-10877medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Editor <= 1.2.6.2 - Cross-Site Scripting

Oct 5, 2016 Patched in 1.2.6.3 (2666d)

CVE-2016-10885high · 8.8Cross-Site Request Forgery (CSRF)

WP Editor < 1.2.6 - Cross-Site Request Forgery

May 13, 2016 Patched in 1.2.6 (2811d)

Code Analysis

Analyzed Mar 16, 2026

WP Editor Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

82 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$wpeditor_roles = unserialize( $wpeditor_roles );classes\WPEditor.php:164

unserialize$page_roles = unserialize( $page_roles);classes\WPEditorAdmin.php:6

Bundled Libraries

jQuery

SQL Query Safety

100% prepared8 total queries

Output Escaping

62% escaped133 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

11 flows2 with unsanitized paths

log (classes\WPEditorLog.php:4)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

WP Editor Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_save_wpeditor_settingsclasses\WPEditor.php:196

authwp_ajax_save_filesclasses\WPEditor.php:199

authwp_ajax_upload_filesclasses\WPEditor.php:202

authwp_ajax_ajax_foldersclasses\WPEditor.php:205

WordPress Hooks 15

actionadmin_initclasses\WPEditor.php:179

actionadmin_initclasses\WPEditor.php:181

actionadmin_initclasses\WPEditor.php:183

actionadmin_menuclasses\WPEditor.php:186

actionadmin_menuclasses\WPEditor.php:188

actionadmin_menuclasses\WPEditor.php:191

actionadmin_menuclasses\WPEditor.php:193

filterplugin_action_linksclasses\WPEditor.php:208

filterthe_editorclasses\WPEditor.php:210

filteradmin_footerclasses\WPEditor.php:215

actionadmin_print_stylesclasses\WPEditorAdmin.php:33

actionadmin_print_stylesclasses\WPEditorAdmin.php:48

actioninitwpeditor.php:73

actioninitwpeditor.php:88

filterplugin_action_linkswpeditor.php:91

Maintenance & Trust

WP Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version

Downloads1.1M

Community Trust

Rating90/100

Number of ratings95

Active installs30K

Alternatives

WP Editor Alternatives

WPIDE – File Manager & Code Editor

wpide

WPIDE is a powerful file manager and code editor for WordPress with tabs, code completion, and full access to the entire wp-content folder.

40K 4 CVEs

Disable Theme and Plugin Editor

disable-theme-and-plugin-editor

Disable Theme and Plugin Editors from WordPress Admin Panel for security reasons

20 No CVEs

Enable Theme and Plugin Editor (WPMU)

enable-theme-and-plugin-editor

Allows to enable theme and plugin editor for site administrator in WordPress MU.

10 No CVEs

SiteOrigin CSS

so-css

100

Powerful, simple CSS editing for WordPress. Visual controls & real-time previews for effortless site customization.

100K No CVEs

Theme Editor

theme-editor

Theme Editor allows you to edit theme files, create folder, upload files and remove any file and folder in themes and plugins.

50K 5 CVEs

Developer Profile

WP Editor Developer Profile

benjaminprojas

1 plugin · 30K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

857 days

View full developer profile

Detection Fingerprints

How We Detect WP Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-editor/assets/js/ace/ace.js/wp-content/plugins/wp-editor/assets/js/app.js/wp-content/plugins/wp-editor/assets/js/codemirror/codemirror.js/wp-content/plugins/wp-editor/assets/js/codemirror/mode/javascript.js/wp-content/plugins/wp-editor/assets/js/codemirror/mode/php.js/wp-content/plugins/wp-editor/assets/js/codemirror/mode/sql.js/wp-content/plugins/wp-editor/assets/js/codemirror/mode/xml.js/wp-content/plugins/wp-editor/assets/js/codemirror/mode/css.js+15 more

Script Paths

Version Parameters

wp-editor/assets/js/ace/ace.js?ver=wp-editor/assets/js/app.js?ver=wp-editor/assets/js/codemirror/codemirror.js?ver=wp-editor/assets/js/codemirror/mode/javascript.js?ver=wp-editor/assets/js/codemirror/mode/php.js?ver=wp-editor/assets/js/codemirror/mode/sql.js?ver=wp-editor/assets/js/codemirror/mode/xml.js?ver=wp-editor/assets/js/codemirror/mode/css.js?ver=wp-editor/assets/js/codemirror/mode/htmlmixed.js?ver=wp-editor/assets/js/codemirror/addon/edit/closebrackets.js?ver=wp-editor/assets/js/codemirror/addon/edit/matchbrackets.js?ver=wp-editor/assets/js/codemirror/addon/hint/show-hint.js?ver=wp-editor/assets/js/codemirror/addon/hint/javascript-hint.js?ver=wp-editor/assets/js/codemirror/addon/hint/html-hint.js?ver=wp-editor/assets/js/codemirror/addon/hint/css-hint.js?ver=wp-editor/assets/js/codemirror/addon/hint/any-hint.js?ver=wp-editor/assets/js/jquery.jstree.js?ver=wp-editor/assets/css/app.css?ver=wp-editor/assets/css/codemirror.css?ver=wp-editor/assets/css/codemirror-theme-elegant.css?ver=wp-editor/assets/css/codemirror-theme-monokai.css?ver=wp-editor/assets/css/codemirror-theme-xq-light.css?ver=wp-editor/assets/css/codemirror-theme-zenburn.css?ver=

HTML / DOM Fingerprints

CSS Classes

plugin-editor-containerplugin-editor-file-listplugin-editor-content-wrapperplugin-editor-controlsplugin-editor-save-button

HTML Comments

Data Attributes

data-plugin-filedata-plugin-name

JS Globals

WPEditorwpeditor_plugin_editor

FAQ

WP Editor Security & Risk Analysis

Is WP Editor Safe to Use in 2026?

Generally Safe

Key Concerns

WP Editor Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Editor Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Editor Attack Surface

AJAX Handlers 4

WP Editor Maintenance & Trust

Maintenance Signals

Community Trust

WP Editor Alternatives

WPIDE – File Manager & Code Editor

Disable Theme and Plugin Editor

Enable Theme and Plugin Editor (WPMU)

SiteOrigin CSS

Theme Editor

WP Editor Developer Profile

How We Detect WP Editor

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Editor