benjaminrojas 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、vendor risk sql injection, and vendor risk csrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で ファイル上書き and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-3295 | The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information. | [email protected] | 4.9 | 0.45% | 2025-04-17 | 2026-06-17 |
| CVE-2025-3294 | The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server. | [email protected] | 7.2 | 0.82% | 2025-04-17 | 2026-06-17 |
| CVE-2022-2446 | The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file | [email protected] | 7.2 | 0.56% | 2024-09-13 | 2026-06-17 |
| CVE-2024-25591 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7. | [email protected] | 5.3 | 0.45% | 2024-03-17 | 2026-06-17 |
| CVE-2021-24151 | The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings. | [email protected] | 7.2 | 0.77% | 2024-01-16 | 2026-06-17 |
| CVE-2016-10886 | The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions. | [email protected] | 9.8 | 2.00% | 2019-08-14 | 2026-06-17 |
| CVE-2016-10885 | The wp-editor plugin before 1.2.6 for WordPress has CSRF. | [email protected] | 8.8 | 0.68% | 2019-08-14 | 2026-06-17 |