Skip to main content

Bluestreet CVE-2026-39617

| EUVDEUVD-2026-20257 CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-8j59-3fgc-7r5h
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20257
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
CRITICAL 9.6

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.

AnalysisAI

Cross-Site Request Forgery in priyanshumittal Bluestreet WordPress theme through version 1.7.3 enables unauthenticated attackers to perform arbitrary plugin installations via CSRF. Exploitation requires user interaction (victim must click malicious link or visit attacker-controlled page while authenticated to WordPress). High severity due to scope change and potential for complete site compromise through malicious plugin deployment. No public exploit identified at time of analysis.

Technical ContextAI

CSRF vulnerability (CWE-352) stems from missing or inadequate anti-CSRF token validation in plugin installation functionality. CVSS vector PR:N indicates unauthenticated attack surface; S:C (scope change) reflects potential escalation beyond theme boundaries. Attacker crafts malicious request triggering plugin installation with administrator privileges, bypassing WordPress nonce protection mechanisms within theme code.

RemediationAI

No vendor-released patch identified at time of analysis. Primary mitigation: immediately deactivate and remove Bluestreet theme from all WordPress installations. Replace with actively maintained alternative theme from WordPress.org repository. If theme must remain active, implement Web Application Firewall rules to block POST requests to plugin installation endpoints from external referrers, and restrict wp-admin access via IP allowlisting. Monitor for unauthorized plugin installations through WordPress audit logs. Full technical details and affected version confirmation available at Patchstack advisory: https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability. Exploitation status: low observed exploitation activity (EPSS <1%).

Share

CVE-2026-39617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy