Skip to main content

Grand Portfolio CVE-2026-39634

| EUVDEUVD-2026-20289 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20289
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.

AnalysisAI

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Portfolio WordPress theme versions up to 3.3 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with low integrity and availability impact. The vulnerability requires user interaction (UI:R) to trigger a malicious request. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the CVSS 5.4 rating.

Technical ContextAI

Grand Portfolio is a WordPress theme distributed via the WordPress.org theme repository. CSRF vulnerabilities (CWE-352) occur when an application fails to implement anti-CSRF tokens (such as nonces in WordPress) or validate the origin of requests. The theme's lack of proper CSRF protection mechanisms allows attackers to craft malicious web pages or requests that, when visited by an authenticated admin or user, can trigger unintended actions-such as theme settings modifications or content changes-without the user's knowledge. The vulnerability affects all versions from the initial release through version 3.3, indicating the protection was either never implemented or introduced after 3.3.

RemediationAI

Upgrade ThemeGoods Grand Portfolio to a version later than 3.3; the vendor advisory from Patchstack should confirm the exact patched version number. If upgrading is not immediately feasible, implement WordPress-level CSRF protections by ensuring all form submissions include valid WordPress nonces (wp_nonce_field() in forms and wp_verify_nonce() in handlers), and restrict administrative actions to logged-in users with appropriate capabilities. Review the theme's codebase in functions.php and relevant template files to identify forms lacking nonce validation, then add nonces to all state-changing requests. For WordPress administrators, enforce strong admin passwords, use two-factor authentication plugins, and monitor admin activity logs for suspicious changes. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandportfolio/ for vendor-specific guidance.

Share

CVE-2026-39634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy