Impact
Cross‑Site Request Forgery in the Extend Themes Skyline WP theme can allow a remote attacker to cause a logged‑in user to perform actions with the user’s privileges. The flaw creates a request that the theme processes without sufficient verification of the user’s intent, potentially enabling modification of site settings or content, or other privileged operations whose exact scope depends on the installed theme’s capabilities. The impact is limited to the account level actions that the theme permits, but it gives an attacker a way to execute any operation the compromised user can normally perform. The vulnerability is classified as CWE‑352 because it exploits the absence of a verification token or anti‑CSRF measure.
Affected Systems
The vulnerability affects the Skyline WP theme from Extend Themes, all releases from the initial release up to and including version 1.0.10. No additional vendor or product information is disclosed in the advisory.
Risk and Exploitability
The CVSS score of 4.3 indicates a low to moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it is not a widely exploited issue at this time. The attack vector is inferred to be remote and requires the victim to be authenticated to the site; the attacker must lure the user to a crafted site that posts a forged request to the vulnerable theme. Because the issue is a CSRF flaw, exploitation typically involves social engineering, yet the lack of an EPSS score and KEV listing imply that the exploit probability may be low. Nonetheless, any user who uses the affected theme and is logged in is a potential target and should be advised to apply the vendor’s patch.
OpenCVE Enrichment