Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
AnalysisAI
CSRF vulnerability in SpicePress WordPress theme versions ≤2.3.2.5 enables unauthenticated attackers to upload web shells via arbitrary plugin installation, achieving remote code execution. Successful exploitation requires user interaction (victim must click malicious link while authenticated). No public exploit identified at time of analysis. CVSS 8.8 score reflects network-accessible, low-complexity attack with high impact to confidentiality, integrity, and availability.
Technical ContextAI
CWE-352 CSRF flaw permits state-changing operations without request verification tokens. Attack chain leverages missing anti-CSRF protections in theme's plugin installation mechanism, allowing HTTP request forgery to install malicious plugins containing web shells. cpe:2.3:a:spicethemes:spicepress references WordPress theme component vulnerable through upload functionality.
RemediationAI
No vendor-released patch identified at time of analysis for SpicePress 2.3.2.5. Recommended immediate actions: (1) Deactivate SpicePress theme and migrate to actively maintained alternative WordPress theme; (2) Audit installed plugins for unauthorized additions; (3) Implement Web Application Firewall rules blocking unauthorized plugin uploads; (4) Monitor Patchstack advisory for vendor update: https://patchstack.com/database/Wordpress/Theme/spicepress/vulnerability/wordpress-spicepress-theme-2-3-2-5-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve. Workaround: Restrict WordPress admin access to trusted IP ranges via .htaccess or firewall ACLs. EPSS 0.01% indicates low observed exploitation activity.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20263
GHSA-pgqw-m834-qpv3