CVE-2026-39621
CSRF in SpicePress β€ 2.3.2.5 Enables Web Shell Upload
Publication date: 2026-04-08
Last updated on: 2026-04-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spicethemes | spicepress | to 2.3.2.5 (inc) |
| spicethemes | spicepress | 2.3.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39621 is a Cross-Site Request Forgery (CSRF) vulnerability found in the WordPress SpicePress Theme versions up to and including 2.3.2.5.
This vulnerability allows attackers to trick privileged users into performing unwanted actions while they are authenticated, such as clicking malicious links, visiting crafted pages, or submitting forms.
Although the attacker does not need to be authenticated, the attack requires interaction by a privileged user to be successful.
The vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a high CVSS severity score of 8.8.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-39621 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload a web shell to a web server by exploiting the CSRF flaw in the SpicePress theme.
Successful exploitation can lead to unauthorized actions being executed on your website by tricking privileged users, potentially compromising the security and integrity of your web server.
Because the vulnerability can be used in mass-exploit campaigns targeting many websites, it poses a significant risk regardless of your site's traffic or popularity.
Mitigation is challenging since no official patch is available, and simply deactivating the theme does not remove the threat; removing or replacing the theme or applying specific mitigation rules is recommended.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-39621 vulnerability in the SpicePress WordPress theme, immediate steps include removing and replacing the affected theme entirely.
Simply deactivating the theme does not eliminate the security threat.
Alternatively, deploying Patchstackβs mitigation rules can help reduce the risk.