Skip to main content

Child Theme Wizard CVE-2026-57655

| EUVDEUVD-2026-39770 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-26 audit@patchstack.com GHSA-rfg3-55h8-446c
8.2
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
vuln.today AI
8.2 HIGH

Remote unauthenticated CSRF (AV:N/PR:N) requires a logged-in admin to interact (UI:R); forged privileged action changes site state across components (S:C, I:H) with minor availability impact and no direct data disclosure.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:46 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.

AnalysisAI

Cross-Site Request Forgery in the Child Theme Wizard WordPress plugin (versions 1.4 and earlier) lets a remote, unauthenticated attacker trick a logged-in administrator into submitting forged state-changing requests, allowing unauthorized actions on the WordPress site without the victim's consent. The CVSS 3.1 score is 8.2 with a scope-change (S:C) and high integrity impact, reflecting that the forged action can affect resources beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious CSRF page
Delivery
Lure logged-in admin to visit
Exploit
Browser sends forged request with session cookie
Execution
Plugin processes action without nonce check
Impact
Unauthorized state change on site

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim with an active, authenticated WordPress session (realistically an administrator, given the high integrity / scope-change impact) be induced to interact with attacker-controlled content - visiting a malicious page or clicking a crafted link (UI:R) - while the vulnerable Child Theme Wizard plugin (<= 1.4) is installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially complete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing an auto-submitting form (or image/script tag) that targets the plugin's vulnerable action endpoint and lures a logged-in WordPress administrator to visit it. Because the request rides on the admin's authenticated session and lacks a valid nonce check, the forged state-changing action executes with admin privileges. …
Remediation Update to a fixed release of Child Theme Wizard above version 1.4 once the vendor publishes one; the input data does not specify an exact patched version, so confirm the fixed build directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/child-theme-wizard/vulnerability/wordpress-child-theme-wizard-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) and the WordPress plugin repository before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running Child Theme Wizard plugin versions 1.4 or earlier; disable the plugin immediately and document the change. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy