Description
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that may allow attackers to perform actions on behalf of authenticated users
Action: Patch Theme
AI Analysis

Impact

The vulnerability is a classic CSRF flaw in the Grand Car Rental theme, disclosed for all versions up to 3.6.9. By sending a crafted request from a malicious site, an attacker can cause an authenticated user to trigger unintended actions within the theme or website, potentially modifying data or settings without that user’s knowledge. The weakness corresponds to CWE‑352, a cross‑site request forgery vulnerability.

Affected Systems

The affected system is the Grand Car Rental theme provided by ThemeGoods. Any WordPress installation that uses this theme in a version equal to or older than 3.6.9 is impacted. No further sub‑versions are specified, so all releases up through 3.6.9 are covered. If the site runs a newer theme version, it is not affected.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the medium severity range. The EPSS score below 1 percent indicates a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the target user is authenticated to the site and visits a malicious page that submits a request that the theme accepts. Because the attack is web‑based and does not require privileged local access, the attack vector is considered network and possible to conduct from any remote computer that can reach the site.

Generated by OpenCVE AI on April 9, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Grand Car Rental theme to version 3.7 or later
  • If an update is not immediately available, consider disabling the theme until a patch is released
  • Review and monitor for any unintended actions performed by authenticated users after the update to confirm that the issue is resolved

Generated by OpenCVE AI on April 9, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Car Rental
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods grand Car Rental
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9.
Title WordPress Grand Car Rental theme <= 3.6.9 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Themegoods Grand Car Rental
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-09T16:16:54.956Z

Reserved: 2026-04-07T10:57:43.490Z

Link: CVE-2026-39633

cve-icon Vulnrichment

Updated: 2026-04-09T16:11:58.155Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:33.877

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:51Z

Weaknesses