Description
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Web Shell
Action: Immediate Patch
AI Analysis

Impact

The SpicePress theme contains a Cross‑Site Request Forgery flaw that lets an unauthenticated attacker trick an authenticated WordPress user into uploading a web shell through the plugin installation interface. This flaw enables the attacker to gain full administrative access to the site and execute arbitrary code on the server, compromising confidentiality, integrity and availability. The weakness is identified as CWE‑352.

Affected Systems

WordPress sites using the SpicePress theme from any version up to and including 2.3.2.5 are affected. The vulnerability is present in the theme component supplied by spicethemes. The issue exists regardless of other themes or plugins being present.

Risk and Exploitability

The vulnerability can be exploited by sending a crafted request to a user who is logged in and has permission to install plugins. An attacker does not need additional privilege escalation beyond the normal admin context, making the attack path straightforward. No formal CVSS or EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because of the potential for remote code execution, the risk to affected sites is high if no countermeasures are applied.

Generated by OpenCVE AI on April 8, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SpicePress theme to the latest available release (2.3.2.6 or later).
  • If an update cannot be applied immediately, disable or remove the plugin upload interface or restrict it to trusted administrators only.
  • Ensure all upload endpoints include proper CSRF tokens and verify file types before saving.
  • Review and restrict user roles so that only necessary users have permission to install plugins.
  • Observe server logs for unexpected uploads or shell‑like files and block them promptly.

Generated by OpenCVE AI on April 8, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Spicethemes
Spicethemes spicepress
Wordpress
Wordpress wordpress
Vendors & Products Spicethemes
Spicethemes spicepress
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
Title WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability
Weaknesses CWE-352
References

Subscriptions

Spicethemes Spicepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:26.321Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39621

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:32.270

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:55Z

Weaknesses