Description
Unauthenticated Cross Site Request Forgery (CSRF) in WordPress Dating Theme <= 11.2.0 versions.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross‑Site Request Forgery flaw found in WordPress Dating Theme versions 11.2.0 and earlier. An attacker can craft a malicious request that the theme accepts without verifying a CSRF token, allowing the request to be executed under any logged‑in user’s session. If successful, the attacker can modify account settings, change user roles or passwords, effectively taking over the victim’s account. The weakness is attributed to CWE‑352, an omission of proper CSRF token validation.

Affected Systems

The affected product is the WordPress Dating Theme from PremiumPress Limited for WordPress, specifically all releases up to and including 11.2.0, which are still deployed by site owners. No other products or vendors are impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score is not publicly available, suggesting no current evidence of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely through a malicious link or form submission that a logged‑in user visits or submits, with no need for authentication or special access. Given the lack of mitigation controls in the affected versions, an attacker with access to a user’s session cookie can immediately exploit the flaw to alter account data.

Generated by OpenCVE AI on June 18, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WordPress Dating Theme to version 11.2.1 or later released by PremiumPress, which removes the CSRF validation flaw.
  • If an upgrade cannot be applied immediately, disable or remove the WordPress Dating Theme to eliminate the vulnerable code paths.
  • As a temporary measure, restrict access to the theme’s admin and AJAX endpoints (e.g., via .htaccess or a security plugin) and implement a site‑wide CSRF token check for all state‑changing requests.

Generated by OpenCVE AI on June 18, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Premiumpress Limited.
Premiumpress Limited. wordpress Dating Theme
Wordpress
Wordpress wordpress
Vendors & Products Premiumpress Limited.
Premiumpress Limited. wordpress Dating Theme
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in WordPress Dating Theme <= 11.2.0 versions.
Title WordPress WordPress Dating Theme theme <= 11.2.0 - Cross Site Request Forgery (CSRF) to Account Takeover vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Premiumpress Limited. Wordpress Dating Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:42.849Z

Reserved: 2026-01-07T12:21:11.736Z

Link: CVE-2026-22342

cve-icon Vulnrichment

Updated: 2026-06-17T13:36:40.453Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:32Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)