CVE-2026-39634
Received Received - Intake
CSRF Vulnerability in Grand Portfolio Plugin Allows Unauthorized Actions

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39634
EUVD
EUVD-2026-20289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themegoods grand_portfolio to 3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39634 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Grand Portfolio Theme versions up to and including 3.3.

This vulnerability allows an attacker to trick higher privileged users into executing unwanted actions while authenticated, such as by clicking a malicious link, visiting a crafted page, or submitting a form.

Although the vulnerability can be initiated by an unauthenticated user, successful exploitation requires user interaction from a privileged user.

Impact Analysis

The vulnerability can lead to unauthorized actions being performed by privileged users without their consent, potentially compromising the security and integrity of the affected website.

Since it is classified under OWASP Top 10 category A1: Broken Access Control, it may allow attackers to bypass normal access controls.

The risk is considered low with a CVSS score of 5.4 and is unlikely to be exploited, but mass-exploit campaigns could target thousands of websites indiscriminately.

Immediate mitigation involves updating the affected theme or seeking assistance from hosting providers or developers.

Mitigation Strategies

Immediate mitigation involves updating the affected theme or seeking assistance from hosting providers or developers.

Detection Guidance

CVE-2026-39634 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Grand Portfolio Theme versions up to and including 3.3. Detection typically involves identifying if the vulnerable theme version is in use on your WordPress installation.

Since this is a theme vulnerability, you can check the installed theme version by using WordPress CLI commands or inspecting the theme files.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually check the style.css file in the Grand Portfolio theme directory for the version number.

There are no specific network detection commands or signatures mentioned for this CSRF vulnerability, as it requires user interaction and is not detectable by simple network scanning.

Monitoring for suspicious user actions or unexpected changes in the WordPress admin area might help identify exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this Cross-Site Request Forgery (CSRF) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart