Description
Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through < 3.1.5.
Published: 2026-02-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Monitor
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the Grand Blog theme before version 3.1.5 that allows a malicious actor to instruct the WordPress site to make arbitrary HTTP requests on its behalf. The vulnerability is rooted in unchecked input that the theme forwards to external URLs, enabling a malicious request to be crafted. This can compromise confidentiality, integrity, or availability of internal resources, and may be leveraged to build further attacks such as pivoting into company‑internal services or exfiltrating data.

Affected Systems

The problem affects the Grand Blog theme provided by ThemeGoods. All installations using any Grand Blog version from the earliest release through the latest unreleased 3.1.5 are susceptible. The exact version range is not listed beyond “< 3.1.5.”

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk, and the EPSS of less than 1% suggests that, at present, exploitation likelihood is very low. The issue is not in the CISA KEV catalog. Attackers would need to supply a URL that the theme processes; because the theme accepts arbitrary URLs, the attack vector is likely web‑based within the WordPress administration interface or via crafted requests to the theme’s endpoints. No publicly available exploits are known, but the potential for abuse exists if an attacker can influence request parameters.

Generated by OpenCVE AI on April 16, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Grand Blog theme to version 3.1.5 or later.
  • Disable any network request features exposed by the theme if upgrading is not immediately possible.
  • Restrict outbound HTTP requests from the WordPress installation to trusted destinations by configuring a firewall or using a web application firewall rule.

Generated by OpenCVE AI on April 16, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Blog
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods grand Blog
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through < 3.1.5.
Title WordPress Grand Blog theme < 3.1.5 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Themegoods Grand Blog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:35.873Z

Reserved: 2026-01-28T09:50:35.464Z

Link: CVE-2026-24961

cve-icon Vulnrichment

Updated: 2026-02-03T17:06:21.829Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:16.683

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses