CVE-2026-39641
Cross-Site Request Forgery in Skywarrior Blackfyre
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| skywarrior | blackfyre | to 2.5.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross-Site Request Forgery (CSRF) vulnerability in the Skywarrior Blackfyre theme impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39641 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Blackfyre Theme versions up to and including 2.5.4.
This vulnerability allows attackers to trick privileged users into executing unwanted actions while authenticated by methods such as clicking malicious links, visiting crafted pages, or submitting forms.
Although the attacker does not need to be authenticated, successful exploitation requires user interaction by a privileged user.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 6.5.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on a website by exploiting the trust of privileged users.
If exploited, attackers could cause privileged users to unknowingly execute actions that may compromise the website's integrity or security.
However, the impact is considered low severity and low priority, and it is unlikely to be exploited in targeted attacks but may be used in mass-exploit campaigns affecting many websites.
No official patch is currently available, so immediate mitigation involves updating the theme when possible or seeking help from hosting providers or web developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected WordPress Blackfyre Theme to a version later than 2.5.4 if available.
If no official patch is available, seek assistance from your hosting provider or web developers to implement protective measures.