Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Remote unauthenticated CSRF (AV:N/PR:N) requires a logged-in admin to interact (UI:R); forged privileged action changes site state across components (S:C, I:H) with minor availability impact and no direct data disclosure.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.
AnalysisAI
Cross-Site Request Forgery in the Child Theme Wizard WordPress plugin (versions 1.4 and earlier) lets a remote, unauthenticated attacker trick a logged-in administrator into submitting forged state-changing requests, allowing unauthorized actions on the WordPress site without the victim's consent. The CVSS 3.1 score is 8.2 with a scope-change (S:C) and high integrity impact, reflecting that the forged action can affect resources beyond the vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim with an active, authenticated WordPress session (realistically an administrator, given the high integrity / scope-change impact) be induced to interact with attacker-controlled content - visiting a malicious page or clicking a crafted link (UI:R) - while the vulnerable Child Theme Wizard plugin (<= 1.4) is installed and active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially complete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page containing an auto-submitting form (or image/script tag) that targets the plugin's vulnerable action endpoint and lures a logged-in WordPress administrator to visit it. Because the request rides on the admin's authenticated session and lacks a valid nonce check, the forged state-changing action executes with admin privileges. … |
| Remediation | Update to a fixed release of Child Theme Wizard above version 1.4 once the vendor publishes one; the input data does not specify an exact patched version, so confirm the fixed build directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/child-theme-wizard/vulnerability/wordpress-child-theme-wizard-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) and the WordPress plugin repository before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress instances running Child Theme Wizard plugin versions 1.4 or earlier; disable the plugin immediately and document the change. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39770
GHSA-rfg3-55h8-446c