Skip to main content

Werkstatt Theme CVE-2026-57690

| EUVDEUVD-2026-41299 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-c6wx-4wg3-cr9h
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable CSRF requiring no attacker privileges but mandatory victim interaction; integrity-only impact with no confidentiality or availability effect matches the CWE-352 pattern.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:33 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Werkstatt <= 4.7.2 versions.

AnalysisAI

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker identifies target WordPress site running Werkstatt <= 4.7.2
Delivery
Craft forged HTML form targeting vulnerable theme endpoint
Exploit
Deliver malicious link to authenticated WordPress user via phishing
Execution
Victim clicks link while logged into WordPress
Persist
Browser auto-submits forged request with victim session
Impact
Unauthorized state change executes within WordPress

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site is running the Werkstatt theme in a version at or below 4.7.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects a constrained but genuine risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page containing a hidden form or JavaScript that automatically submits a forged HTTP request targeting a Werkstatt theme action endpoint. The attacker distributes the link (via email, social media, or a compromised site) to a WordPress site owner who is currently logged in. …
Remediation Update the Werkstatt theme to a version later than 4.7.2 as reported by Patchstack. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy