Skip to main content

Grand Blog EUVDEUVD-2026-20284

| CVE-2026-39632 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Patchstack GHSA-c8hx-4wwq-pq7f
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20284
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.

AnalysisAI

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Blog theme through version 3.1 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users via specially crafted requests. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but carries a high integrity impact, enabling attackers to modify site content, settings, or user accounts without the victim's knowledge.

Technical ContextAI

CSRF vulnerabilities (CWE-352) occur when web applications fail to validate that state-changing requests originate from legitimate users rather than forged cross-origin requests. The Grand Blog WordPress theme does not properly implement anti-CSRF tokens or same-origin policy protections on sensitive operations. Affected versions through 3.1 lack adequate nonce verification on administrative or user-facing functions, allowing attackers to craft HTML or JavaScript payloads that, when loaded by a logged-in user, execute unintended actions (such as modifying theme settings, creating posts, or changing user permissions) within the context of the victim's authenticated session.

RemediationAI

Vendors and users should upgrade ThemeGoods Grand Blog to version 3.2 or later, which addresses the CSRF vulnerability through implementation of proper nonce verification and anti-CSRF token validation. Site administrators currently running versions through 3.1 must navigate to their WordPress theme management console and apply the available patch immediately. Until patching is possible, administrators should implement additional hardening measures such as enabling WordPress security headers (X-Frame-Options, Content-Security-Policy) and employing Web Application Firewall (WAF) rules to detect and block cross-origin forged requests. Additional guidance and patch availability can be confirmed via the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

Share

EUVD-2026-20284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy