Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
AnalysisAI
Cross-Site Request Forgery (CSRF) in Busiprof WordPress theme versions ≤2.5.2 enables unauthenticated attackers to upload web shells to the server by tricking authenticated administrators into executing malicious requests. Successful exploitation grants remote code execution capabilities through arbitrary file upload, allowing complete server compromise. CVSS 9.6 reflects cross-site scope with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS 0.01%).
Technical ContextAI
CSRF vulnerability (CWE-352) bypasses file upload restrictions by exploiting missing anti-CSRF token validation in upload functionality. Unauthenticated attack vector (PR:N) requires user interaction (UI:R) where privileged user must trigger forged request, enabling arbitrary PHP web shell placement. Cross-site scope (S:C) indicates resource compromise beyond vulnerable component boundaries, escalating from CSRF to remote code execution.
RemediationAI
No vendor-released patch identified at time of analysis for versions beyond 2.5.2. Immediately deactivate and replace Busiprof theme with actively maintained alternative. If theme must remain operational, implement Web Application Firewall (WAF) rules blocking unauthorized file uploads, restrict administrative access to trusted IP addresses, and enforce Content Security Policy (CSP) headers to mitigate CSRF vectors. Monitor server for suspicious PHP files in upload directories (/wp-content/uploads, /wp-content/themes/busiprof). Review Patchstack advisory for technical details: https://patchstack.com/database/Wordpress/Theme/busiprof/vulnerability/wordpress-busiprof-theme-2-5-2-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20261
GHSA-7gr5-hfgj-rpgg