Skip to main content

Newsexo EUVDEUVD-2026-20259

| CVE-2026-39618 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-4wp9-rh2v-cjvx
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:25 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20259
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.

AnalysisAI

Cross-Site Request Forgery in themearile NewsExo WordPress theme versions through 7.1 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with user interaction (clicking a malicious link). The vulnerability has a CVSS score of 4.3 with low integrity impact but no confidentiality or availability impact. EPSS exploitation probability is negligible at 0.01%, and no public exploit code or active exploitation has been confirmed.

Technical ContextAI

The vulnerability is a classic Cross-Site Request Forgery (CSRF/XSRF) attack vector affecting the themearile NewsExo WordPress theme. CSRF vulnerabilities (CWE-352) occur when a web application fails to implement proper anti-CSRF protections such as nonce validation, SameSite cookie attributes, or token verification. WordPress themes typically interact with the WordPress REST API or admin functionality, and without proper nonce checks on state-changing requests, an attacker can craft malicious HTML or JavaScript that, when visited by an authenticated administrator or user, will automatically submit requests to perform actions like modifying theme settings, creating posts, or changing configurations. The affected CPE (cpe:2.3:a:themearile:newsexo:*:*:*:*:*:*:*:*) indicates all versions of the NewsExo product are potentially affected, though the advisory specifically targets versions up to 7.1.

RemediationAI

WordPress site administrators using themearile NewsExo should update the theme to a patched version greater than 7.1 as soon as available from the theme vendor. Until a patched version is released, administrators should verify that WordPress nonce verification is enabled and audit theme code for proper nonce checks on all state-changing requests. As a temporary mitigation, consider restricting theme access to trusted administrators and monitor for unusual administrative activity. Site owners should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/newsexo/vulnerability/wordpress-newsexo-theme-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the latest patch release details from themearile.

Share

EUVD-2026-20259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy