Description
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The SpicePress theme for WordPress includes a Cross‑Site Request Forgery (CSRF) weakness that allows an attacker to upload a web shell and install arbitrary plugins. This flaw can lead to complete remote code execution on the web server, compromising confidentiality, integrity and availability of the site. The vulnerability is classified as CWE‑352, a request‑forge weakness.

Affected Systems

WordPress sites using the SpicePress theme from any version prior to 2.3.2.6 (i.e., n/a through 2.3.2.5) are affected. The issue is specific to the spicethemes SpicePress product and impacts all installations of that theme within the stated version range.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity and the EPSS score is reported as less than 1%, suggesting a low probability of widespread automated exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to exploit the CSRF flaw by having an authenticated user submit a malicious form that triggers the upload of a web shell and subsequent plugin installation. Because the flaw operates through form submissions, the attack vector is likely an authenticated user interacting with a malicious site that sends the request to the target WordPress instance.

Generated by OpenCVE AI on April 9, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SpicePress to the latest available version (2.3.2.6 or newer).
  • If an upgrade is not immediately possible, disable or restrict the theme’s file‑upload and plugin‑installation functionality to prevent unauthorized uploads.
  • Verify that all form endpoints in the theme enforce CSRF tokens and session validation on the server side.
  • Continuously monitor the site for unexpected file uploads or plugin installations, and immediately revoke any user accounts that appear compromised.
  • If the site remains vulnerable, limit or temporarily suspend the theme until a fix can be applied.

Generated by OpenCVE AI on April 9, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Spicethemes
Spicethemes spicepress
Wordpress
Wordpress wordpress
Vendors & Products Spicethemes
Spicethemes spicepress
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
Title WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability
Weaknesses CWE-352
References

Subscriptions

Spicethemes Spicepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.618Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39621

cve-icon Vulnrichment

Updated: 2026-04-09T20:38:10.529Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:32.270

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:57Z

Weaknesses