Skip to main content

SEOWP EUVDEUVD-2026-41316

| CVE-2026-57761 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-5979-4pcv-7m6g
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network CSRF needs no attacker auth (PR:N) but requires a privileged victim to interact (UI:R); resulting stored XSS crosses trust boundary (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
CVE Published
Jul 02, 2026 - 12:27 cve.org
HIGH 7.1
Analysis Generated
Jul 02, 2026 - 12:21 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.

AnalysisAI

Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure logged-in admin to malicious page
Delivery
Browser auto-submits forged theme request
Exploit
Missing CSRF token accepted, input stored
Execution
Stored XSS renders in admin session
Impact
Execute script, hijack privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires that a currently authenticated WordPress user - realistically an administrator with access to the SEOWP theme's settings/content actions - is tricked into interacting with attacker-controlled content while their session is active (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a real but conditional risk rather than an urgent internet-wide emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a web page or email containing a hidden auto-submitting form (or image/fetch request) targeting the vulnerable SEOWP theme action and lures a logged-in WordPress administrator into opening it. The victim's browser silently submits the forged, cookie-authenticated request, which stores an attacker-controlled script; that script then executes whenever the affected page is rendered, potentially hijacking admin sessions. …
Remediation No exact vendor-released fix version is present in the provided data, so treat the fix as: upgrade the SEOWP theme to the first release published after 3.12.2 once the vendor/Patchstack advisory (https://patchstack.com/database/wordpress/theme/seowp/vulnerability/wordpress-seowp-theme-3-12-2-csrf-to-stored-xss-vulnerability) confirms a patched build. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy