CVE-2022-2440

The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/theme-editor/trunk/ms_child_theme_editor.php#L495	Product
https://plugins.trac.wordpress.org/changeset/3142694/	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:themeeditor:theme_editor:*:*:*:*:*:wordpress:*:*

History

10 Jul 2025, 15:29

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/browser/theme-editor/trunk/ms_child_theme_editor.php#L495 -~~	() https://plugins.trac.wordpress.org/browser/theme-editor/trunk/ms_child_theme_editor.php#L495 - Product
References	~~() https://plugins.trac.wordpress.org/changeset/3142694/ -~~	() https://plugins.trac.wordpress.org/changeset/3142694/ - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=cve - Third Party Advisory
First Time		Themeeditor theme Editor Themeeditor
CPE		cpe:2.3:a:themeeditor:theme_editor::::::wordpress::*

Information

Published : 2024-08-29 11:15

Updated : 2025-07-10 15:29

NVD link : CVE-2022-2440

Mitre link : CVE-2022-2440

CVE.ORG link : CVE-2022-2440

JSON object : View

Products Affected

themeeditor

theme_editor

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2022-2440", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-08-29T11:15:23.790", "references": [{"url": "https://plugins.trac.wordpress.org/browser/theme-editor/trunk/ms_child_theme_editor.php#L495", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3142694/", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload."}, {"lang": "es", "value": "El complemento Theme Editor para WordPress es vulnerable a la deserializaci\u00f3n de entradas no confiables a trav\u00e9s del par\u00e1metro 'images_array' en versiones hasta la 2.8 incluida. Esto permite que atacantes autenticados con privilegios administrativos llamen a archivos utilizando un contenedor PHAR que deserializar\u00e1 y llamar\u00e1 a objetos PHP arbitrarios que se pueden usar para realizar una variedad de acciones maliciosas siempre que tambi\u00e9n est\u00e9 presente una cadena POP. Tambi\u00e9n requiere que el atacante cargue con \u00e9xito un archivo con la carga serializada."}], "lastModified": "2025-07-10T15:29:43.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:themeeditor:theme_editor:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "5D8A93B3-8E85-4CB7-9359-9F0B7787DF19", "versionEndExcluding": "2.9"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}