Theme Editor allows malicious code execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Theme Editor allows malicious code execution

CVE-2026-39640

Summary

A security weakness in Theme Editor, a plugin used by website owners, allows an attacker to execute malicious code on a website. This could lead to unauthorized actions, such as adding malicious content or modifying settings. To protect your website, update to the latest version of Theme Editor to fix this issue.

Original title

Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.

Original description

Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/word...

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026