Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.
AnalysisAI
Cross-Site Request Forgery in priyanshumittal Bluestreet WordPress theme through version 1.7.3 enables unauthenticated attackers to perform arbitrary plugin installations via CSRF. Exploitation requires user interaction (victim must click malicious link or visit attacker-controlled page while authenticated to WordPress). High severity due to scope change and potential for complete site compromise through malicious plugin deployment. No public exploit identified at time of analysis.
Technical ContextAI
CSRF vulnerability (CWE-352) stems from missing or inadequate anti-CSRF token validation in plugin installation functionality. CVSS vector PR:N indicates unauthenticated attack surface; S:C (scope change) reflects potential escalation beyond theme boundaries. Attacker crafts malicious request triggering plugin installation with administrator privileges, bypassing WordPress nonce protection mechanisms within theme code.
RemediationAI
No vendor-released patch identified at time of analysis. Primary mitigation: immediately deactivate and remove Bluestreet theme from all WordPress installations. Replace with actively maintained alternative theme from WordPress.org repository. If theme must remain active, implement Web Application Firewall rules to block POST requests to plugin installation endpoints from external referrers, and restrict wp-admin access via IP allowlisting. Monitor for unauthorized plugin installations through WordPress audit logs. Full technical details and affected version confirmation available at Patchstack advisory: https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability. Exploitation status: low observed exploitation activity (EPSS <1%).
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20257
GHSA-8j59-3fgc-7r5h