CVE-2026-39635
CSRF Vulnerability in Grand Magazine Plugin β€ 3.5.5 Allows Unauthorized Actions
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themegoods | grand_magazine | to 3.5.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39635 vulnerability is a Cross Site Request Forgery (CSRF) issue that allows attackers to trick privileged users into executing unwanted actions. While this can lead to unauthorized actions within the affected WordPress theme, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.
However, since CSRF vulnerabilities can potentially lead to unauthorized changes or data exposure, they may indirectly affect compliance by compromising data integrity or security controls required by such regulations.
Can you explain this vulnerability to me?
CVE-2026-39635 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Grand Magazine Theme versions up to and including 3.5.5.
This vulnerability allows attackers to trick higher privileged users into executing unwanted actions while authenticated, by having them perform actions such as clicking malicious links, visiting crafted pages, or submitting forms.
It is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 5.4, indicating a low priority threat with limited impact.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthorized actions on your WordPress site if a privileged user is tricked into interacting with malicious content.
Such actions could include changes to site settings or content that the attacker should not be able to perform.
However, exploitation requires user interaction from a privileged user and the vulnerability is considered unlikely to be widely exploited due to its low severity.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected theme if possible or seeking assistance from hosting providers or web developers.