Description
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

The Blackfyre theme for WordPress contains an unauthenticated Cross-Site Request Forgery (CSRF) weakness (CWE-352) that permits a remote attacker to cause a logged-in user to perform state-changing actions without their consent. The problem allows an attacker to force the victim to submit forged requests that can alter site configuration, publish or delete content, or otherwise exploit the privileges of the authenticated user. This can lead to data modification, loss of integrity, or unauthorized content changes.

Affected Systems

Skywarrior’s Blackfyre WordPress theme is affected. All releases up to and including version 2.5.4 are vulnerable. No specific patch release is documented in the report, but any installation of the theme at or below 2.5.4 is susceptible until the theme is updated.

Risk and Exploitability

The CVSS v3.1 score of 6.5 classifies the vulnerability as medium severity, while the EPSS value of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to lure a logged-in visitor to the site or place a crafted link on a trusted page; the attack vector is thus web-based and requires the victim’s credentials. If exploited, the impact is limited to the permissions of the coerced user, but a privileged user could modify critical site settings or publish unwanted content.

Generated by OpenCVE AI on April 9, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blackfyre theme to a version newer than 2.5.4 where the CSRF flaw is fixed.
  • If an upgrade cannot be performed immediately, restrict or disable state-changing actions for users who are not required to use them, or deploy a plugin that enforces CSRF nonces for protected forms.
  • After applying a fix or workaround, test the site to confirm that forged requests can no longer modify site data.

Generated by OpenCVE AI on April 9, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Skywarrior
Skywarrior blackfyre
Wordpress
Wordpress wordpress
Vendors & Products Skywarrior
Skywarrior blackfyre
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4.
Title WordPress Blackfyre theme <= 2.5.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Skywarrior Blackfyre
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-09T15:38:54.023Z

Reserved: 2026-04-07T10:57:43.491Z

Link: CVE-2026-39641

cve-icon Vulnrichment

Updated: 2026-04-09T15:38:35.823Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:34.930

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:47Z

Weaknesses