This flaw is a cross‑site request forgery that permits an attacker to trigger the installation of any WordPress plugin on a site using the affected theme. The installation process can include malicious code, giving the attacker the same level of control that a legitimate plugin could provide. The weakness matches CWE‑352, the classic CSRF defect that allows unauthorized actions under a victim’s authenticated session.

WordPress sites that have installed the Bluestreet theme by Priyanshu Mittal with a version of 1.7.3 or earlier are affected. No other vendors or products are listed in the CNA data, and no additional version ranges are specified beyond the upper bound of 1.7.3.

The necessary condition for exploitation is an authenticated user session with permission to install plugins, and the ability to click a specially crafted link that submits an installation request. Based on the description, it is inferred that the attacker must entice a user to visit the forged URL through social engineering or embedded links. Because the vulnerability is a standard CSRF pattern and the CAPABILITY to install plugins can be granted to non‑administrator accounts, the risk is high on sites with permissive install options. The CVSS score is not reported, the EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the potential for arbitrary code execution makes the threat significant.