{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9890", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:46:48.863Z", "datePublished": "2025-10-18T08:25:35.623Z", "dateUpdated": "2026-04-08T17:01:38.681Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:38.681Z"}, "affected": [{"vendor": "mndpsingh287", "product": "Theme Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Theme Editor <= 3.0 - Cross-Site Request Forgery to Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77189684-b794-41a0-8fc0-3320032c2f69?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379404%40theme-editor&new=3379404%40theme-editor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-17T19:39:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-20T17:08:22.305660Z", "id": "CVE-2025-9890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T17:16:42.968Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-20T17:08:22.305660Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T17:14:05.504Z"}}], "cna": {"title": "Theme Editor <= 3.0 - Cross-Site Request Forgery to Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "mndpsingh287", "product": "Theme Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-17T19:39:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77189684-b794-41a0-8fc0-3320032c2f69?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379404%40theme-editor&new=3379404%40theme-editor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:38.681Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9890", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:38.681Z", "dateReserved": "2025-09-02T22:46:48.863Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-18T08:25:35.623Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9890", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-18T09:15:34.687", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379404%40theme-editor&new=3379404%40theme-editor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77189684-b794-41a0-8fc0-3320032c2f69?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:48:08.394404+00:00", "value": {"mitigation_remediation": ["Update the Theme Editor plugin to a release newer than 3.0 that incorporates proper nonce validation on the theme editing page.", "Add the constant DISALLOW_FILE_EDIT to wp-config.php to block file editing through the dashboard, limiting the surface area exposed by the plugin.", "Deploy a security plugin that mandates nonces on all form submissions, such as iThemes Security or Wordfence, to strengthen CSRF protections across the site."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the WordPress Theme Editor plugin developed by mndpsingh287 for all releases up to and including version 3.0. Any site running these affected versions faces the risk until an update is applied.", "description_and_impact": "The Theme Editor plugin is vulnerable to a Cross\u2011Site Request Forgery flaw due to missing or incorrect nonce validation on the 'theme_editor_theme' page. An attacker can send a forged request that, if a site administrator clicks a malicious link, escalates to remote code execution. This makes the affected site a direct target for unauthenticated attackers, compromising both confidentiality and integrity of site files.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high\u2011severity flaw, while the EPSS score of less than 1% suggests exploitation is presently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a simple CSRF via a malicious link or embed sent to an admin user. If exploited, the attacker gains the capability to execute arbitrary code on the server."}}}}, "created": "2025-10-20T13:21:36.103969+00:00", "updated": "2026-04-21T19:00:36.131403+00:00", "vendors": ["mndpsingh287", "mndpsingh287$PRODUCT$theme_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}