Skip to main content

Grand Magazine CVE-2026-39635

| EUVDEUVD-2026-20290 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-h7cf-327q-35rq
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20290
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.4

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine WordPress theme versions up to 3.5.5 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users via crafted malicious web pages. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but carries low real-world exploitation probability despite the moderate CVSS score, as reflected by an EPSS score of 0.01% (1st percentile). No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

This vulnerability is rooted in inadequate CSRF token validation within the Grand Magazine WordPress theme. CWE-352 (Cross-Site Request Forgery) occurs when a web application does not properly verify that state-changing requests originate from the intended user, allowing attackers to craft forged requests that execute actions in the context of an authenticated session. The vulnerability affects the WordPress theme (CPE: cpe:2.3:a:themegoods:grand_magazine:*:*:*:*:*:*:*:*) across all versions from the initial release through 3.5.5. WordPress themes are loaded on every page of a WordPress site, making CSRF protections in theme functionality critical to site security, though the impact scope is limited to theme-specific features rather than core WordPress.

RemediationAI

Update the Grand Magazine theme to a version above 3.5.5; consult the official ThemeGoods Grand Magazine release notes or the Patchstack database for the patched version number. Users should navigate to their WordPress dashboard, go to Appearance > Themes, and update the theme if an update is available. As a temporary mitigation prior to patching, site administrators may restrict theme functionality to trusted users only or implement Web Application Firewall (WAF) rules to detect and block cross-origin requests to sensitive theme actions. For detailed patching guidance, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

Share

CVE-2026-39635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy