Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.
AnalysisAI
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Portfolio WordPress theme versions up to 3.3 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with low integrity and availability impact. The vulnerability requires user interaction (UI:R) to trigger a malicious request. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the CVSS 5.4 rating.
Technical ContextAI
Grand Portfolio is a WordPress theme distributed via the WordPress.org theme repository. CSRF vulnerabilities (CWE-352) occur when an application fails to implement anti-CSRF tokens (such as nonces in WordPress) or validate the origin of requests. The theme's lack of proper CSRF protection mechanisms allows attackers to craft malicious web pages or requests that, when visited by an authenticated admin or user, can trigger unintended actions-such as theme settings modifications or content changes-without the user's knowledge. The vulnerability affects all versions from the initial release through version 3.3, indicating the protection was either never implemented or introduced after 3.3.
RemediationAI
Upgrade ThemeGoods Grand Portfolio to a version later than 3.3; the vendor advisory from Patchstack should confirm the exact patched version number. If upgrading is not immediately feasible, implement WordPress-level CSRF protections by ensuring all form submissions include valid WordPress nonces (wp_nonce_field() in forms and wp_verify_nonce() in handlers), and restrict administrative actions to logged-in users with appropriate capabilities. Review the theme's codebase in functions.php and relevant template files to identify forms lacking nonce validation, then add nonces to all state-changing requests. For WordPress administrators, enforce strong admin passwords, use two-factor authentication plugins, and monitor admin activity logs for suspicious changes. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandportfolio/ for vendor-specific guidance.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20289