Skip to main content

Busiprof CVE-2026-39619

| EUVDEUVD-2026-20261 CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-7gr5-hfgj-rpgg
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20261
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
CRITICAL 9.6

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.

AnalysisAI

Cross-Site Request Forgery (CSRF) in Busiprof WordPress theme versions ≤2.5.2 enables unauthenticated attackers to upload web shells to the server by tricking authenticated administrators into executing malicious requests. Successful exploitation grants remote code execution capabilities through arbitrary file upload, allowing complete server compromise. CVSS 9.6 reflects cross-site scope with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS 0.01%).

Technical ContextAI

CSRF vulnerability (CWE-352) bypasses file upload restrictions by exploiting missing anti-CSRF token validation in upload functionality. Unauthenticated attack vector (PR:N) requires user interaction (UI:R) where privileged user must trigger forged request, enabling arbitrary PHP web shell placement. Cross-site scope (S:C) indicates resource compromise beyond vulnerable component boundaries, escalating from CSRF to remote code execution.

RemediationAI

No vendor-released patch identified at time of analysis for versions beyond 2.5.2. Immediately deactivate and replace Busiprof theme with actively maintained alternative. If theme must remain operational, implement Web Application Firewall (WAF) rules blocking unauthorized file uploads, restrict administrative access to trusted IP addresses, and enforce Content Security Policy (CSP) headers to mitigate CSRF vectors. Monitor server for suspicious PHP files in upload directories (/wp-content/uploads, /wp-content/themes/busiprof). Review Patchstack advisory for technical details: https://patchstack.com/database/Wordpress/Theme/busiprof/vulnerability/wordpress-busiprof-theme-2-5-2-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability

Share

CVE-2026-39619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy