Description
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via uploaded web shell
Action: Update Theme
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to upload an arbitrary file, including a web shell, to the web server. Because the file is uploaded under the privileges of the authenticated WordPress user, a malicious actor can gain remote code execution capabilities. The weakness is classified under CWE‑352 and could compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

WordPress sites that use the Busiprof theme by priyanshumittal, version 2.5.2 or earlier are affected. The vulnerability exists in all earlier releases up to and including 2.5.2.

Risk and Exploitability

The exploit requires a valid authenticated session to perform the CSRF request, so it is limited to users with administrative or editor access to the WordPress dashboard. Once a web shell is uploaded, the attacker can execute arbitrary code on the server. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the impact is severe and the attack vector is likely to be web‑based and exploitable by any authenticated user who can reach the site. The overall risk is high for sites that still run the vulnerable theme.

Generated by OpenCVE AI on April 8, 2026 at 09:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current Busiprof theme version on your WordPress installation.
  • If the theme version is 2.5.2 or older, upgrade to the latest release that resolves the CSRF upload flaw.
  • If an upgrade is not possible, remove or deactivate the Busiprof theme to stop the upload endpoint from being available.
  • Apply all available WordPress core, plugin, and theme updates to reduce overall attack surface.
  • Add or enforce CSRF tokens (nonces) on file‑upload forms if you must keep the theme.

Generated by OpenCVE AI on April 8, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Priyanshumittal
Priyanshumittal busiprof
Wordpress
Wordpress wordpress
Vendors & Products Priyanshumittal
Priyanshumittal busiprof
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
Title WordPress Busiprof theme <= 2.5.2 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability
Weaknesses CWE-352
References

Subscriptions

Priyanshumittal Busiprof
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:25.868Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39619

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:31.873

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:57Z

Weaknesses