Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
AnalysisAI
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.
Technical ContextAI
RT-Theme 18 Extensions is a WordPress plugin providing theme extensions and functionality. The vulnerability stems from missing or insufficient CSRF token validation (CWE-352: Cross-Site Request Forgery), a foundational web application security flaw. The plugin fails to verify cryptographic nonces on state-changing requests, allowing an attacker to craft a malicious webpage or email that, when visited by a logged-in WordPress administrator or user, silently executes unauthorized actions within the plugin's scope. The affected CPE (cpe:2.3:a:stmcan:rt-theme_18_|_extensions:*:*:*:*:*:*:*:*) identifies all versions of the plugin; the vulnerability impacts versions from initial release through version 2.5.
RemediationAI
Upgrade stmcan RT-Theme 18 Extensions to a version later than 2.5 immediately upon availability. Consult the Patchstack vulnerability advisory (https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for patched release notes and availability timelines. In the interim, if the plugin cannot be immediately updated, implement WordPress security hardening measures: enforce strong administrator passwords, enable two-factor authentication for all administrative accounts, and restrict plugin access to trusted IP addresses via .htaccess or Web Application Firewall rules. Additionally, audit WordPress user roles and remove unnecessary administrator accounts to reduce the attack surface for CSRF exploitation. Monitor WordPress security plugins (e.g., Wordfence) for CSRF-specific threat signatures targeting this plugin.
More in Rt Theme 18 Extensions
View allPHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to a
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attack
Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including
RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20417
GHSA-h4g3-j2wx-7hjc