Volerion logoVolerion
Volerion logoVolerion

WP Editor WordPress Plugin Arbitrary File Update Vulnerability

Vulnerability

A vulnerability allowing arbitrary file updates has been identified in the WP Editor plugin for WordPress, affecting all versions through 1.2.9.1. This issue arises from inadequate file path validation, enabling authenticated attackers with Administrator-level access to overwrite arbitrary files on the server. If the overwritten files can be executed by the web server, this vulnerability could lead to remote code execution.

Impact

Exploitation of this vulnerability could allow for unauthorized file modifications, potentially leading to remote code execution if the modified files are executed by the server.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator-level access can upload a file through the WP Editor plugin. The upload process does not properly validate file paths, allowing for directory traversal attacks that can overwrite sensitive files on the server. After the file is overwritten, if it is a type that can be executed by the web server, this could lead to remote code execution.

Remediation

Users are advised to update the WP Editor plugin to version 1.2.9.2 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
10.0
exploitability
6.0
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.