Skip to main content

WordPress Dating Theme EUVDEUVD-2026-37661

| CVE-2026-22342 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-17 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Classic CSRF: attacker is network-unauthenticated (PR:N) but needs victim to click (UI:R); account takeover yields full C/I/A impact within the same site (S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:29 vuln.today
CVE Published
Jun 17, 2026 - 09:50 cve.org
HIGH 8.8

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in WordPress Dating Theme <= 11.2.0 versions.

AnalysisAI

Cross-Site Request Forgery in PremiumPress WordPress Dating Theme versions 11.2.0 and earlier allows remote attackers to coerce authenticated victims into performing unintended state-changing actions, with Patchstack documenting an account takeover path. The CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability when a targeted user is tricked into visiting attacker-controlled content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify site running vulnerable Dating Theme
Delivery
Host malicious page with forged request
Exploit
Lure authenticated victim via phishing link
Install
Browser submits request with session cookie
C2
Theme processes profile change without nonce check
Execute
Attacker controls victim email and password
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target site runs PremiumPress WordPress Dating Theme at version 11.2.0 or earlier, that a victim user is actively authenticated to that site in the same browser, and that the victim is induced to load attacker-controlled content (UI:R) such as a malicious page, email, or third-party site embedding a forged request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H is internally consistent for CSRF: the attacker is unauthenticated to the target application (PR:N) but exploitation rides the victim's existing session, hence UI:R. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a page containing an auto-submitting HTML form (or an <img> tag for GET-based endpoints) that targets the vulnerable theme's profile-update or password-change handler, then lures a logged-in dating-site user - ideally an administrator - to visit it via phishing, a forum link, or a malvertising banner. The victim's browser silently submits the request with their session cookie, allowing the attacker to change the account's email and password and take over the account; no public PoC has been published beyond Patchstack's writeup.
Remediation Patch available per vendor advisory - upgrade the WordPress Dating Theme to a release later than 11.2.0 as soon as PremiumPress publishes a fixed build, tracked via the Patchstack entry at https://patchstack.com/database/wordpress/theme/da10/vulnerability/wordpress-wordpress-dating-theme-theme-11-2-0-cross-site-request-forgery-csrf-to-account-takeover-vulnerability (no exact fixed version was provided in the input data, so confirm the patched release number directly with PremiumPress before relying on it). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running PremiumPress Dating Theme version 11.2.0 or earlier; flag for priority remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy