Skip to main content

Appointment CVE-2026-39620

| EUVDEUVD-2026-20262 CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-5rf8-xhgp-9mg9
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:23 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
9.6 (CRITICAL)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20262
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.

AnalysisAI

WordPress Appointment theme versions through 3.5.5 suffer from Cross-Site Request Forgery (CSRF) enabling unauthenticated attackers to upload malicious web shells to the server. With CVSS 9.6 (Critical) and a changed scope, successful exploitation grants attackers remote code execution capabilities with high impact to confidentiality, integrity, and availability. EPSS probability is low (0.01%, 1st percentile), and no public exploit identified at time of analysis, though the CSRF-to-RCE chain represents a serious threat requiring immediate patching.

Technical ContextAI

This vulnerability affects the Appointment WordPress theme (CPE: cpe:2.3:a:priyanshumittal:appointment) developed by priyanshumittal. The root cause is CWE-352 (Cross-Site Request Forgery), where the theme fails to implement proper anti-CSRF tokens or nonce validation on file upload functionality. WordPress themes typically handle file uploads for customization features like logo uploads, background images, or media management. Without CSRF protection, an attacker can craft a malicious HTML form that, when visited by an authenticated WordPress administrator, automatically submits a file upload request to the vulnerable endpoint. The critical escalation occurs because the CSRF vulnerability is chained with unrestricted file upload, allowing arbitrary file types including PHP web shells. Once uploaded, these shells provide a persistent backdoor for remote code execution on the web server, effectively converting a CSRF flaw into full server compromise.

RemediationAI

Immediately upgrade the Appointment theme to a version newer than 3.5.5 if available, checking the theme's official repository or marketplace listing for patched releases. As of this analysis, no specific patched version number is confirmed from available data sources - administrators should monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/appointment/vulnerability/wordpress-appointment-theme-3-5-5-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability for vendor patch announcements. If no patch is released promptly, consider replacing the Appointment theme with an alternative WordPress theme that provides similar functionality but maintains active security support. As an immediate workaround, restrict WordPress admin panel access to trusted IP addresses via web server configuration (.htaccess or nginx rules) and implement Web Application Firewall (WAF) rules to block suspicious file upload requests. Educate administrators to avoid clicking unknown links while logged into WordPress, and review wp-content/uploads and theme directories for recently modified PHP files that could indicate existing compromise. Monitor server logs for unusual file upload activity and POST requests to theme endpoints.

Share

CVE-2026-39620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy