CVE-2026-3772: WP Editor Plugin CSRF Allows Remote Code Execution

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-352
CVE-2026-3772: WP Editor Plugin CSRF Allows Remote Code Execution

The National Vulnerability Database has detailed CVE-2026-3772, a high-severity Cross-Site Request Forgery (CSRF) vulnerability impacting the WP Editor plugin for WordPress. All versions up to, and including, 1.2.9.2 are affected. This flaw stems from a critical lack of nonce verification within the add_plugins_page and add_themes_page functions.

This missing security control allows unauthenticated attackers to overwrite arbitrary plugin and theme PHP files. The attack vector requires tricking a site administrator into clicking a crafted link, which then enables the attacker to inject their own code. With a CVSS score of 8.8 (HIGH), the potential for complete compromise of the WordPress instance is significant, moving from CSRF to full remote code execution.

This isn’t a complex exploit. It leverages a fundamental web security oversight. Attackers can easily craft a malicious request that, when executed by an authenticated administrator, effectively backdoors the site. The impact is total — arbitrary code execution means full control over the WordPress environment, leading to data exfiltration, defacement, or further lateral movement within a network.

What This Means For You

  • If your organization uses the WP Editor plugin for WordPress, you are exposed. Immediately audit your WordPress installations to identify any instances running this plugin. If found, disable it and replace it with a more secure alternative. This vulnerability is trivial to exploit with social engineering, and the consequences are catastrophic. Assume compromise if an administrator has clicked suspicious links while logged into a vulnerable site.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1587.002 Develop Capabilities: Malware Resource Development T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-3772: WP Editor Plugin Arbitrary File Overwrite via CSRF

Sigma YAML — free preview 
title: CVE-2026-3772: WP Editor Plugin Arbitrary File Overwrite via CSRF
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  This rule detects the specific CSRF exploit pattern for CVE-2026-3772 targeting the WP Editor plugin. The exploit leverages the 'save_code' action via AJAX to overwrite arbitrary plugin and theme PHP files by tricking an administrator into clicking a malicious link. The detection focuses on the AJAX endpoint and the specific action parameter used in the exploit, combined with a POST request and a referer indicating an administrative context.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-3772/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=save_code'
      cs-method:
          - 'POST'
      referer|contains:
          - '/wp-admin/'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-3772 CSRF WP Editor plugin for WordPress versions <= 1.2.9.2
CVE-2026-3772 CSRF Missing nonce verification in 'add_plugins_page' function
CVE-2026-3772 CSRF Missing nonce verification in 'add_themes_page' function
CVE-2026-3772 Code Injection Ability to overwrite arbitrary plugin and theme PHP files

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7580 — Exiftool Vulnerability

CVE-2026-7580 — A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The...

vulnerabilityCVEmedium-severitycwe-74cwe-94
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7579: AstrBotDevs AstrBot Hard-Coded Credential Vulnerability

CVE-2026-7579 — A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of...

vulnerabilityCVEhigh-severitycwe-259cwe-798
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs

CVE-2026-3140 — The Ultimate Dashboard plugin for WordPress is vulnerable

CVE-2026-3140 — The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due...

vulnerabilityCVEmedium-severitycwe-352
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma