Description
Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9.
Published: 2025-09-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Constructo theme contains a Cross‑Site Request Forgery (CSRF) weakness that allows an attacker to inject arbitrary objects. The flaw could be exploited to modify server data or trigger unintended actions by forcing a logged‑in user to submit a crafted request. The vulnerability aligns with CWE‑352 and carries a CVSS score of 8.8, indicating a high‑severity risk.

Affected Systems

WordPress sites that employ the Anps Constructo Theme version 4.3.9 or earlier. The theme is distributed by the vendor Anps.

Risk and Exploitability

The high CVSS rating reflects substantial potential damage if the flaw is abused. However, the EPSS score of less than 1% suggests that attacks are currently rare, and the issue is not listed in the CISA KEV catalog. The logical exploitation path would involve an authenticated user clicking a malicious link or submitting a forged form that triggers the theme's object‑injection routine. No officially published workaround exists; therefore, the safest approach is to apply the vendor’s patch or update.

Generated by OpenCVE AI on April 30, 2026 at 06:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Constructo theme to a version newer than 4.3.9 to eliminate the CSRF vulnerability.
  • If an update is not immediately available, disable or protect any endpoints that lack CSRF token validation within the theme.
  • Review other WordPress plugins and themes for similar CSRF weaknesses and apply fixes promptly.

Generated by OpenCVE AI on April 30, 2026 at 06:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30573 Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo allows Object Injection. This issue affects Constructo: from n/a through 4.3.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo allows Object Injection. This issue affects Constructo: from n/a through 4.3.9. Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo allows Object Injection. This issue affects Constructo: from n/a through 4.3.9.
Title WordPress Constructo Theme <= 4.3.9 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:22:38.128Z

Reserved: 2025-08-27T16:19:44.959Z

Link: CVE-2025-58244

cve-icon Vulnrichment

Updated: 2025-09-23T15:57:48.386Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:10.017

Modified: 2026-04-23T15:33:22.403

Link: CVE-2025-58244

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-22T18:23:32Z

Links: CVE-2025-58244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses