Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine WordPress theme versions up to 3.5.5 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users via crafted malicious web pages. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but carries low real-world exploitation probability despite the moderate CVSS score, as reflected by an EPSS score of 0.01% (1st percentile). No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
This vulnerability is rooted in inadequate CSRF token validation within the Grand Magazine WordPress theme. CWE-352 (Cross-Site Request Forgery) occurs when a web application does not properly verify that state-changing requests originate from the intended user, allowing attackers to craft forged requests that execute actions in the context of an authenticated session. The vulnerability affects the WordPress theme (CPE: cpe:2.3:a:themegoods:grand_magazine:*:*:*:*:*:*:*:*) across all versions from the initial release through 3.5.5. WordPress themes are loaded on every page of a WordPress site, making CSRF protections in theme functionality critical to site security, though the impact scope is limited to theme-specific features rather than core WordPress.
RemediationAI
Update the Grand Magazine theme to a version above 3.5.5; consult the official ThemeGoods Grand Magazine release notes or the Patchstack database for the patched version number. Users should navigate to their WordPress dashboard, go to Appearance > Themes, and update the theme if an update is available. As a temporary mitigation prior to patching, site administrators may restrict theme functionality to trusted users only or implement Web Application Firewall (WAF) rules to detect and block cross-origin requests to sensitive theme actions. For detailed patching guidance, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20290
GHSA-h7cf-327q-35rq