WordPress Grand Photography theme versions through 5.7.8 contain a Cross‑Site Request Forgery flaw that lets an attacker force an authenticated user to execute arbitrary actions within the site, such as creating posts, modifying settings or deleting content. The weakness lies in missing or unvalidated anti‑CSRF tokens, categorized under CWE‑352, and compromises the integrity of the application.

Vendors affected are ThemeGoods, using the Grand Photography WordPress theme. All releases up to and including version 5.7.8 fall under the scope, whereas later releases are assumed fixed.

The issue presents a low‑to‑medium severity risk because the attacker must coerce a logged‑in user to visit a crafted URL while the session cookie is active. No public exploits are documented, EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. However, the potential for damage is significant if the site contains highly privileged users, and the attack can be automated with simple phishing or malicious links.