Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.
AnalysisAI
Cross-Site Request Forgery in themearile NewsExo WordPress theme versions through 7.1 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with user interaction (clicking a malicious link). The vulnerability has a CVSS score of 4.3 with low integrity impact but no confidentiality or availability impact. EPSS exploitation probability is negligible at 0.01%, and no public exploit code or active exploitation has been confirmed.
Technical ContextAI
The vulnerability is a classic Cross-Site Request Forgery (CSRF/XSRF) attack vector affecting the themearile NewsExo WordPress theme. CSRF vulnerabilities (CWE-352) occur when a web application fails to implement proper anti-CSRF protections such as nonce validation, SameSite cookie attributes, or token verification. WordPress themes typically interact with the WordPress REST API or admin functionality, and without proper nonce checks on state-changing requests, an attacker can craft malicious HTML or JavaScript that, when visited by an authenticated administrator or user, will automatically submit requests to perform actions like modifying theme settings, creating posts, or changing configurations. The affected CPE (cpe:2.3:a:themearile:newsexo:*:*:*:*:*:*:*:*) indicates all versions of the NewsExo product are potentially affected, though the advisory specifically targets versions up to 7.1.
RemediationAI
WordPress site administrators using themearile NewsExo should update the theme to a patched version greater than 7.1 as soon as available from the theme vendor. Until a patched version is released, administrators should verify that WordPress nonce verification is enabled and audit theme code for proper nonce checks on all state-changing requests. As a temporary mitigation, consider restricting theme access to trusted administrators and monitor for unusual administrative activity. Site owners should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/newsexo/vulnerability/wordpress-newsexo-theme-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the latest patch release details from themearile.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20259
GHSA-4wp9-rh2v-cjvx