Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network CSRF needs no attacker auth (PR:N) but requires a privileged victim to interact (UI:R); resulting stored XSS crosses trust boundary (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
AnalysisAI
Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a currently authenticated WordPress user - realistically an administrator with access to the SEOWP theme's settings/content actions - is tricked into interacting with attacker-controlled content while their session is active (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a real but conditional risk rather than an urgent internet-wide emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a web page or email containing a hidden auto-submitting form (or image/fetch request) targeting the vulnerable SEOWP theme action and lures a logged-in WordPress administrator into opening it. The victim's browser silently submits the forged, cookie-authenticated request, which stores an attacker-controlled script; that script then executes whenever the affected page is rendered, potentially hijacking admin sessions. … |
| Remediation | No exact vendor-released fix version is present in the provided data, so treat the fix as: upgrade the SEOWP theme to the first release published after 3.12.2 once the vendor/Patchstack advisory (https://patchstack.com/database/wordpress/theme/seowp/vulnerability/wordpress-seowp-theme-3-12-2-csrf-to-stored-xss-vulnerability) confirms a patched build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41316
GHSA-5979-4pcv-7m6g