CVE-2026-39710
Cross-Site Request Forgery in RT-Theme 18 Extensions
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stmcan | rt-theme | to 2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross-Site Request Forgery (CSRF) vulnerability in RT-Theme 18 | Extensions affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39710 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress RT-Theme 18 | Extensions Plugin versions up to and including 2.5.
This vulnerability allows a malicious actor to trick higher privileged users into executing unwanted actions while authenticated, such as clicking a malicious link, visiting a crafted page, or submitting a form.
The exploit requires user interaction and the involvement of a privileged user, but no authentication is needed to initiate the attack.
It is classified under OWASP Top 10 A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your WordPress site by tricking privileged users into executing malicious requests.
Such actions could include changes to site settings, content, or other administrative functions that the privileged user has access to.
Although the severity is rated low (CVSS score 5.4), it can still be exploited in mass campaigns targeting many websites regardless of their traffic or popularity.
No authentication is required to initiate the attack, but it does require the involvement of a privileged user to succeed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross Site Request Forgery (CSRF) affecting the RT-Theme 18 | Extensions Plugin versions up to and including 2.5. Detection typically involves monitoring for suspicious HTTP requests that attempt to perform actions without proper user interaction or CSRF tokens.
Since the vulnerability requires user interaction and targets privileged users, network detection can focus on identifying unusual POST requests or GET requests with side effects to the affected plugin endpoints.
Specific commands are not provided in the available resources. However, general approaches include using web application firewalls (WAF) to log and analyze requests, or employing tools like curl or Burp Suite to test for CSRF protection by attempting to replicate unauthorized requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected RT-Theme 18 | Extensions Plugin to a version that addresses the vulnerability if available.
As of the report date, no official patch is available, so it is recommended to seek assistance from hosting providers or developers to implement temporary protections.
Additional mitigation steps include educating privileged users to avoid clicking suspicious links or visiting untrusted pages while authenticated, and implementing web application firewalls to block potential CSRF attacks.