CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2440 – Theme Editor <= 2.8 - Authenticated (Admin+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2440
The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. • https://plugins.trac.wordpress.org/browser/theme-editor/trunk/ms_child_theme_editor.php#L495 https://plugins.trac.wordpress.org/changeset/3142694 https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6091 – WordPress Theme Editor plugin <= 2.7.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2023-6091
Unrestricted Upload of File with Dangerous Type vulnerability in mndpsingh287 Theme Editor.This issue affects Theme Editor: from n/a through 2.7.1. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en mndpsingh287 Theme Editor. Este problema afecta al Theme Editor: desde n/a hasta 2.7.1. The Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers with administrator privileges or higher to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/theme-editor/wordpress-theme-editor-plugin-2-7-1-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24154 – Theme Editor < 2.6 - Authenticated Arbitrary File Download
https://notcve.org/view.php?id=CVE-2021-24154
The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd El plugin Theme Editor de WordPress versiones anteriores a 2.6, no comprobaba el parámetro de archivo GET antes de pasarlo a la función download_file(), permitiendo a administradores descargar archivos arbitrarios en el servidor web, como /etc/passwd • https://wpscan.com/vulnerability/566c6836-fc3d-4dd9-b351-c3d9da9ec22e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •