Skip to main content

Rt Theme 18 Extensions CVE-2026-39710

| EUVDEUVD-2026-20417 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-h4g3-j2wx-7hjc
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20417
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.4

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

AnalysisAI

Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.

Technical ContextAI

RT-Theme 18 Extensions is a WordPress plugin providing theme extensions and functionality. The vulnerability stems from missing or insufficient CSRF token validation (CWE-352: Cross-Site Request Forgery), a foundational web application security flaw. The plugin fails to verify cryptographic nonces on state-changing requests, allowing an attacker to craft a malicious webpage or email that, when visited by a logged-in WordPress administrator or user, silently executes unauthorized actions within the plugin's scope. The affected CPE (cpe:2.3:a:stmcan:rt-theme_18_|_extensions:*:*:*:*:*:*:*:*) identifies all versions of the plugin; the vulnerability impacts versions from initial release through version 2.5.

RemediationAI

Upgrade stmcan RT-Theme 18 Extensions to a version later than 2.5 immediately upon availability. Consult the Patchstack vulnerability advisory (https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for patched release notes and availability timelines. In the interim, if the plugin cannot be immediately updated, implement WordPress security hardening measures: enforce strong administrator passwords, enable two-factor authentication for all administrative accounts, and restrict plugin access to trusted IP addresses via .htaccess or Web Application Firewall rules. Additionally, audit WordPress user roles and remove unnecessary administrator accounts to reduce the attack surface for CSRF exploitation. Monitor WordPress security plugins (e.g., Wordfence) for CSRF-specific threat signatures targeting this plugin.

Share

CVE-2026-39710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy