Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.
AnalysisAI
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Blog theme through version 3.1 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users via specially crafted requests. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but carries a high integrity impact, enabling attackers to modify site content, settings, or user accounts without the victim's knowledge.
Technical ContextAI
CSRF vulnerabilities (CWE-352) occur when web applications fail to validate that state-changing requests originate from legitimate users rather than forged cross-origin requests. The Grand Blog WordPress theme does not properly implement anti-CSRF tokens or same-origin policy protections on sensitive operations. Affected versions through 3.1 lack adequate nonce verification on administrative or user-facing functions, allowing attackers to craft HTML or JavaScript payloads that, when loaded by a logged-in user, execute unintended actions (such as modifying theme settings, creating posts, or changing user permissions) within the context of the victim's authenticated session.
RemediationAI
Vendors and users should upgrade ThemeGoods Grand Blog to version 3.2 or later, which addresses the CSRF vulnerability through implementation of proper nonce verification and anti-CSRF token validation. Site administrators currently running versions through 3.1 must navigate to their WordPress theme management console and apply the available patch immediately. Until patching is possible, administrators should implement additional hardening measures such as enabling WordPress security headers (X-Frame-Options, Content-Security-Policy) and employing Web Application Firewall (WAF) rules to detect and block cross-origin forged requests. Additional guidance and patch availability can be confirmed via the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20284
GHSA-c8hx-4wwq-pq7f