Description
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
Published: 2026-04-08
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Busiprof WordPress theme contains a Cross‑Site Request Forgery flaw that permits an attacker to upload arbitrary files, including web shells, to the site’s server. This enables the attacker to execute code with the web server’s privileges, effectively compromising the website. The weakness is classified as CWE‑352.

Affected Systems

All WordPress sites that use the Busiprof theme version 2.5.2 or earlier are vulnerable. Affected installations include any instance where the theme has not yet been updated beyond the specified version.

Risk and Exploitability

The vulnerability carries a CVSS base score of 9.6, placing it in the critical range and indicating that successful exploitation would result in complete compromise. The EPSS probability is below 1 %, suggesting that exploit attempts are currently rare, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is a forged request from a user who has permission to upload files, such as a content editor or administrator, who is tricked into submitting a malicious payload. Once the request is processed, the attacker can place a web shell in the upload directory and execute arbitrary code.

Generated by OpenCVE AI on April 10, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Busiprof theme to the latest available version beyond 2.5.2 if a patched release is released.
  • If an upgrade cannot be performed immediately, disable the file‑upload functionality in the theme or restrict uploads using WordPress settings.
  • Configure the upload directory so that uploaded files cannot be executed, for example by setting appropriate permissions or adding an .htaccess rule to deny execution.

Generated by OpenCVE AI on April 10, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Priyanshumittal
Priyanshumittal busiprof
Wordpress
Wordpress wordpress
Vendors & Products Priyanshumittal
Priyanshumittal busiprof
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
Title WordPress Busiprof theme <= 2.5.2 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability
Weaknesses CWE-352
References

Subscriptions

Priyanshumittal Busiprof
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.646Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39619

cve-icon Vulnrichment

Updated: 2026-04-09T20:40:48.807Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:31.873

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:58Z

Weaknesses