Skip to main content

Grand Photography CVE-2026-39603

| EUVDEUVD-2026-20233 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-3p7h-vrh2-gc3q
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20233
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.4

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography grandphotography allows Cross Site Request Forgery.This issue affects Grand Photography: from n/a through <= 5.7.8.

AnalysisAI

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.

Technical ContextAI

This is a classic CSRF vulnerability (CWE-352) affecting the Grand Photography WordPress theme. CSRF exploits occur when a malicious website or email tricks an authenticated user into making unintended requests to a target application without their knowledge. The theme fails to implement or properly validate CSRF tokens (nonces in WordPress terminology) on state-changing operations. The vulnerability resides in the WordPress theme itself (CPE: cpe:2.3:a:themegoods:grand_photography:*:*:*:*:*:*:*:*), meaning all installations from version 0 through 5.7.8 are affected. WordPress provides built-in CSRF protection mechanisms (wp_verify_nonce and wp_nonce_field functions), but developers must implement them correctly on all forms and AJAX requests.

RemediationAI

Update the Grand Photography theme to a version higher than 5.7.8 immediately upon release. Site administrators should check the ThemeGoods website or their WordPress theme dashboard for patched versions. Until a patch is available, implement WordPress security best practices: ensure administrators and editors are trusted users only, disable unnecessary theme functionality, and consider using security plugins that detect and block CSRF attempts. Review all custom theme code and third-party plugins for similar CSRF vulnerabilities. Additional details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/grandphotography/vulnerability/wordpress-grand-photography-theme-5-7-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

Share

CVE-2026-39603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy