CVE-2026-39634
CSRF Vulnerability in Grand Portfolio Plugin Allows Unauthorized Actions
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themegoods | grand_portfolio | to 3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39634 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Grand Portfolio Theme versions up to and including 3.3.
This vulnerability allows an attacker to trick higher privileged users into executing unwanted actions while authenticated, such as by clicking a malicious link, visiting a crafted page, or submitting a form.
Although the vulnerability can be initiated by an unauthenticated user, successful exploitation requires user interaction from a privileged user.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being performed by privileged users without their consent, potentially compromising the security and integrity of the affected website.
Since it is classified under OWASP Top 10 category A1: Broken Access Control, it may allow attackers to bypass normal access controls.
The risk is considered low with a CVSS score of 5.4 and is unlikely to be exploited, but mass-exploit campaigns could target thousands of websites indiscriminately.
Immediate mitigation involves updating the affected theme or seeking assistance from hosting providers or developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected theme or seeking assistance from hosting providers or developers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this Cross-Site Request Forgery (CSRF) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-39634 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Grand Portfolio Theme versions up to and including 3.3. Detection typically involves identifying if the vulnerable theme version is in use on your WordPress installation.
Since this is a theme vulnerability, you can check the installed theme version by using WordPress CLI commands or inspecting the theme files.
- Use WP-CLI to check the theme version: wp theme list --status=active
- Manually check the style.css file in the Grand Portfolio theme directory for the version number.
There are no specific network detection commands or signatures mentioned for this CSRF vulnerability, as it requires user interaction and is not detectable by simple network scanning.
Monitoring for suspicious user actions or unexpected changes in the WordPress admin area might help identify exploitation attempts.