[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTOKiIGJ8egbQNImx4R_uiIxV4sTRjK7euyN40-Wl7JM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39640","theme-editor-cross-site-request-forgery-2","Theme Editor \u003C= 3.2 - Cross-Site Request Forgery","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","theme-editor",null,"\u003C=3.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-14 00:00:00","2026-04-15 21:36:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F032ec7ea-737c-4322-96ba-97d60cd2e08e?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39640 (Theme Editor \u003C= 3.2)\n\n## 1. Vulnerability Summary\nThe **Theme Editor** plugin for WordPress (versions \u003C= 3.2) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because the plugin fails to perform nonce validation when saving its administrative settings. An attacker can trick a logged-in administrator into visiting a malicious website that submits a forged request to the victim's WordPress site, leading to unauthorized modification of the plugin's configuration.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=theme-editor` (or any admin page, as the logic is hooked to `admin_init`).\n- **HTTP Method**: `POST`\n- **Vulnerable Action**: The settings saving logic triggered by the presence of specific POST parameters.\n- **Authentication Level**: Unauthenticated (Attacker) \u002F Administrator (Victim).\n- **Preconditions**:\n    - The victim must be a logged-in Administrator.\n    - The \"Theme Editor\" plugin must be active.\n\n## 3. Code Flow\n1.  **Hook Registration**: The plugin registers a function to handle settings in the admin area.\n    - *File*: `theme-editor.php` (or `includes\u002Fte-admin-settings.php`)\n    - *Code*: `add_action( 'admin_init', 'te_save_settings_logic' );` (inferred)\n2.  **Logic Entry**: The function `te_save_settings_logic()` executes on every administrative page load.\n3.  **Vulnerable Check**:\n    ```php\n    function te_save_settings_logic() {\n        if ( isset( $_POST['te_save_settings'] ) ) {\n            \u002F\u002F VULNERABILITY: No check_admin_referer() or wp_verify_nonce() here.\n            $options = $_POST['te_theme_editor_options'];\n            update_option( 'te_theme_editor_options', $options );\n        }\n    }\n    ```\n4.  **Sink**: `update_option()` is called with the unsanitized (or poorly sanitized) and unverified data from `$_POST['te_theme_editor_options']`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is characterized by the **absence** of a nonce check. Therefore, no nonce is required to perform the exploit. The attacker simply needs to forge the POST request with the correct parameter names.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an external request can change the plugin's settings.\n\n### Step 1: Create the Exploit Payload\nWe will use an auto-submitting HTML form. The most visible setting to change for demonstration is the `editor_theme` or `enable_theme_editor` flag.\n\n### Step 2: Target Parameters\nBased on the plugin structure, the settings are stored in an array under the option `te_theme_editor_options`.\n- `te_save_settings`: Must be set to trigger the logic.\n- `te_theme_editor_options[editor_theme]`: Setting this to a specific value (e.g., `cobalt`).\n\n### Step 3: Trigger via `http_request`\nSince the security agent uses Playwright, we can simulate the CSRF by navigating an authenticated admin session to a \"malicious\" page or directly performing the POST request using the admin's context.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=theme-editor`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n    ```\n    te_save_settings=1&te_theme_editor_options%5Beditor_theme%5D=cobalt&te_theme_editor_options%5Benable_theme_editor%5D=1\n    ```\n\n## 6. Test Data Setup\n1.  **Install\u002FActivate Plugin**: Ensure `theme-editor` version 3.2 is installed.\n2.  **Initialize Settings**: Visit the settings page once as admin to ensure default options exist.\n    - `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=theme-editor\")`\n3.  **Identify Target Option**: Confirm the current value of the option.\n    - `wp option get te_theme_editor_options`\n\n## 7. Expected Results\n- The server will process the request and return a 302 redirect (standard WordPress admin behavior) or a 200 OK.\n- The WordPress database will be updated. Specifically, the `te_theme_editor_options` option will now contain `editor_theme => cobalt`.\n\n## 8. Verification Steps\nAfter the `http_request` is sent:\n1.  **Check via WP-CLI**:\n    ```bash\n    wp option get te_theme_editor_options --format=json\n    ```\n    Verify that `\"editor_theme\":\"cobalt\"` exists in the output.\n2.  **Verify via UI**:\n    Navigate to the Theme Editor settings page and observe the selected theme in the dropdown.\n\n## 9. Alternative Approaches\nIf the plugin uses AJAX for settings (unlikely in version 3.2 for this specific plugin, but possible):\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `te_save_settings` (inferred)\n- **Method**: `POST`\n- **Body**: `action=te_save_settings&te_theme_editor_options[editor_theme]=cobalt`\n- **Bypass**: Check if `check_ajax_referer` is present but uses a default action like `-1` or if the result is ignored.\n\nIf the primary settings page is protected, check for the **Download Theme\u002FPlugin** feature:\n- Often these plugins allow downloading zip files of themes. If the `action=te_download_theme` (inferred) lacks a nonce, a CSRF could be used to trigger a server-side zip generation or other resource-intensive tasks.","The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.2. This vulnerability allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into submitting a forged POST request due to missing nonce validation on the settings-saving function.","\u002F\u002F File: theme-editor.php (inferred from te_save_settings_logic hook)\nfunction te_save_settings_logic() {\n    if ( isset( $_POST['te_save_settings'] ) ) {\n        \u002F\u002F VULNERABILITY: No check_admin_referer() or wp_verify_nonce() here.\n        $options = $_POST['te_theme_editor_options'];\n        update_option( 'te_theme_editor_options', $options );\n    }\n}\nadd_action( 'admin_init', 'te_save_settings_logic' );","--- theme-editor\u002Ftheme-editor.php\n+++ theme-editor\u002Ftheme-editor.php\n@@ -10,6 +10,7 @@\n function te_save_settings_logic() {\n     if ( isset( $_POST['te_save_settings'] ) ) {\n+        check_admin_referer('te_save_settings_action', 'te_nonce');\n         $options = $_POST['te_theme_editor_options'];\n         update_option( 'te_theme_editor_options', $options );\n     }","The exploit targets the settings saving logic triggered via the 'admin_init' hook. An attacker crafts a malicious HTML page containing a hidden form that sends a POST request to any administrative endpoint (e.g., \u002Fwp-admin\u002Fadmin.php?page=theme-editor). The payload must include 'te_save_settings=1' and the 'te_theme_editor_options' array with the desired malicious configuration values. When a logged-in administrator visits the attacker's page, the form is automatically submitted via JavaScript. Because the plugin does not verify a CSRF nonce, it updates the database option 'te_theme_editor_options' with the attacker-supplied data.","gemini-3-flash-preview","2026-04-20 22:45:50","2026-04-20 22:46:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftheme-editor\u002Ftags"]