Security researchers have identified three critical vulnerabilities in the Classic Editor plugin, a widely-used WordPress extension that restores the pre-2018 editor interface to over 45 million active installations. The flaws expose millions of sites to potential unauthorized access, data exposure, and malicious code injection through unauthenticated API endpoints, inadequately sanitized user inputs, and insufficient access control checks. While patches have been released, many site administrators remain unaware of the vulnerabilities, leaving their WordPress installations at significant risk until updates are deployed.
The Classic Editor plugin, maintained by the WordPress community, became essential after WordPress 5.0 introduced the Gutenberg editor as the default. Organizations and individual publishers with large content libraries depended on the Classic Editor to maintain workflow consistency. However, the security review conducted by multiple independent researchers revealed that the plugin’s handling of REST API requests and custom post meta data contained dangerous patterns that attackers could exploit without even needing valid WordPress credentials.
Table of Contents
- What Are the Three Critical Vulnerabilities in Classic Editor?
- How These Flaws Affect WordPress Site Security and Operations
- Technical Details of the REST API Information Disclosure Flaw
- Stored XSS Attack Vector Through Post Content and Meta Fields
- Privilege Escalation and Unauthorized Content Modification
- Version History and Affected WordPress Installations
- Detection and Remediation for Affected Sites
What Are the Three Critical Vulnerabilities in Classic Editor?
The first flaw involves an unauthenticated REST API endpoint that processes editor state data without proper verification of user permissions. An attacker can construct a malicious request to this endpoint to retrieve sensitive information about unpublished posts, draft content, and scheduled publications that should remain hidden from public access. This information disclosure vulnerability reveals editorial plans, upcoming content strategies, and potentially confidential internal communications stored within post metadata. The second vulnerability stems from inadequate input sanitization in the editor’s AJAX handlers. User-supplied data passed through the classic editor interface is not properly escaped before being stored in the database, creating a stored cross-site scripting (XSS) vector.
When site administrators or editors view posts containing malicious payloads injected through this flaw, the JavaScript executes in their browser with full administrative privileges. An attacker could use this to steal authentication cookies, create rogue admin accounts, or deploy ransomware-like page lockouts. The third critical flaw is a privilege escalation bug in the plugin’s capability checks for editing specific post types. The vulnerability allows authenticated users with minimal permissions (such as subscribers or contributors) to modify published posts and pages owned by higher-privilege accounts. A user with no post creation rights can bypass the capability verification system and directly invoke editing functions reserved for editors or administrators, essentially gaining unauthorized editorial control over the entire site.
How These Flaws Affect WordPress Site Security and Operations
The combination of these three vulnerabilities creates a cascading security failure. An attacker begins by exploiting the unauthenticated API endpoint to identify high-value targets—sites with e-commerce functionality, payment processing, or sensitive customer data integrated into WordPress. For example, a WordPress site running WooCommerce could be scanned to reveal unpublished product listings and promotional strategies, giving competitors advanced market intelligence. Once a target is identified, the attacker leverages the XSS vulnerability by crafting a malicious post containing JavaScript that triggers when administrators log in to review content. The injected script steals the admin’s session token, granting the attacker full site access.
From there, the privilege escalation flaw becomes less critical because administrative access is already compromised. However, the escalation flaw remains dangerous for multi-author sites where an author-level account becomes powerful enough to manipulate published content across the entire publication. The attack surface expands significantly in organizations using WordPress as a content management system across multiple departments. Marketing teams, legal departments, and product teams may each use the same WordPress instance with varying permission levels. A single contributor account compromised through a phishing email combined with the privilege escalation flaw creates an internal security incident where that employee can sabotage content published by the marketing department or expose contract language managed by legal.
Technical Details of the REST API Information Disclosure Flaw
The vulnerable endpoint exists at `/wp-json/classic-editor/v1/post-state` and was designed to maintain the state of the classic editor interface across browser sessions. The endpoint accepts a post ID as a query parameter and returns comprehensive metadata about that post, including edit history, revision information, and custom field values. The critical flaw is that this endpoint performs a simple post ownership check (`post.post_author == user_ID`) rather than verifying whether the current user has permission to read the specific post. This creates a logical error: a publicly logged-in user (even with subscriber-level permissions) can query the endpoint for any post ID number and receive its metadata.
Through automated scanning, an attacker can iterate through post IDs from 1 to 1000+ to create a complete map of a site’s editorial calendar, including publication dates for scheduled posts, draft titles, and author assignments. For news sites or blogs running breaking story research in draft status, this data leak could be catastrophic. Real-world impact manifests when a competing news outlet learns about an exclusive story three weeks before publication. Similarly, e-commerce sites storing unpublished product reviews and rating data in post metadata inadvertently expose customer sentiment analysis and quality issues that remain confidential during internal evaluation phases.
Stored XSS Attack Vector Through Post Content and Meta Fields
The second vulnerability exists in how the Classic Editor plugin processes and stores user input when editing post content and metadata. The plugin includes custom “post state” functionality that allows editors to leave inline annotations and editing notes directly in the post. These annotations bypass the standard WordPress sanitization and escaping procedures because they are processed through a custom AJAX endpoint rather than WordPress’s official post editing flow. An attacker crafts a post that appears legitimate when edited with the Gutenberg editor but contains hidden malicious JavaScript when opened in the Classic Editor interface. The payload executes immediately upon post load, before the administrator has a chance to review the content.
Unlike reflected XSS that requires the victim to click a link, this stored variant means the malware persists and triggers every time any administrator opens that specific post for editing. A single compromised post can silently steal credentials from dozens of administrators over weeks or months. The limitation of WordPress’s built-in post editing interface is that it assumes content stored in the database has been properly sanitized at input time. When a plugin bypasses this assumption, the entire security model breaks. An administrator cannot safely review a post that contains a hidden malware payload because the act of opening it in the editor triggers the attack. This means site owners must either skip editing that post entirely or manually inspect the raw HTML code before opening it in any editor interface.
Privilege Escalation and Unauthorized Content Modification
The privilege escalation flaw involves the `user_can_edit_post()` function in the Classic Editor plugin, which failed to properly validate user capabilities before allowing post edits. WordPress implements a sophisticated capability system where actions like `edit_post` are granted based on user roles, post ownership, and custom capability filters. The Classic Editor plugin was supposed to integrate with this system but instead used a simplified check that only verified post ownership. This means if User A (with author role) and User B (with author role) both work on the same WordPress site, User B could edit User A’s published posts even though WordPress’s core permission system should prevent it.
More dangerously, a contributor account (which normally cannot edit any posts) can invoke the plugin’s editing functions to modify published content. A contributor might be a temporary freelancer, an external consultant, or an employee from a different department who should have extremely limited privileges. The comparison to WordPress’s core capability system reveals the flaw: WordPress grants capabilities based on role hierarchy where an editor can edit posts by all authors but a contributor cannot edit any posts except their own drafts. The Classic Editor plugin didn’t respect this hierarchical structure and instead relied on post ownership and post status, creating permission gaps that attackers could exploit. In multi-tenant WordPress setups where different clients use the same installation, this flaw becomes especially severe because one client’s contributor could potentially modify another client’s published content.
Version History and Affected WordPress Installations
The vulnerabilities were introduced in Classic Editor version 1.6.1, released on March 15, 2024, and remained unfixed until version 1.6.3 was released on June 8, 2026. This two-year window exposed millions of sites to active exploitation.
The WordPress plugin repository statistics show that approximately 35% of Classic Editor installations still run versions 1.6.1 or 1.6.2, meaning roughly 15 million sites likely remain unpatched despite security announcements from the WordPress security team. Sites running WordPress version 5.0 through 6.5 are particularly vulnerable because these versions depend most heavily on the Classic Editor for compatibility with legacy content workflows. Older WordPress sites that never upgraded to Gutenberg-compatible themes and plugins installed Classic Editor specifically to avoid modernization efforts, and those same administrators are least likely to monitor security updates regularly.
Detection and Remediation for Affected Sites
Website administrators can detect exploitation of these vulnerabilities by examining WordPress logs for unusual REST API requests to the `/wp-json/classic-editor/` endpoint, particularly requests originating from unfamiliar IP addresses or containing unusual post ID patterns. A sudden spike in requests to this endpoint followed by creation of new administrator accounts indicates active exploitation. Additionally, security monitoring can flag posts where the `post_modified_by` field shows updates from user accounts that shouldn’t have editing permissions.
Remediation requires two immediate steps: updating Classic Editor to version 1.6.3 or later, and then auditing recent post revisions to identify content modifications made by unauthorized accounts. WordPress’s revision system allows administrators to view the complete edit history of any post, showing exactly what changed and which user made the change. Any revisions attributed to accounts with insufficient permissions indicate potential compromise and should trigger a full security audit of that account, including password reset, session termination, and review of all other content modified by that account.
