Description
Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via CSRF
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trick an authenticated user into performing unintended actions. By exploiting this flaw, a malicious actor could force a logged‑in administrator to make changes that the attacker wishes, potentially modifying site content, settings, or even injecting malicious code. The weakness is identified as CWE‑352.

Affected Systems

The flaw affects the RT‑Theme 18 | Extensions plugin from any version up to and including 2.5. Users of WordPress sites that have this plugin installed and enabled are potentially exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1%, suggesting that exploitation is currently unlikely but possible. The vulnerability is not listed in the CISA KEV catalog, yet attackers could still craft simple CSRF requests. Exploitation requires an authenticated user to visit a crafted URL, implying that privileged users are the primary target. This could lead to untrusted modifications of site content or configuration, compromising confidentiality, integrity, or availability of the affected WordPress site.

Generated by OpenCVE AI on April 8, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RT‑Theme 18 | Extensions to version 2.6 or newer where the CSRF issue is fixed
  • If an upgrade is not possible, disable the plugin to eliminate the attack surface
  • Configure your web server or WordPress to require CSRF tokens for all state‑changing requests

Generated by OpenCVE AI on April 8, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Stmcan
Stmcan rt-theme 18 | Extensions
Wordpress
Wordpress wordpress
Vendors & Products Stmcan
Stmcan rt-theme 18 | Extensions
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Title WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Stmcan Rt-theme 18 | Extensions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T13:13:38.476Z

Reserved: 2026-04-07T10:58:22.476Z

Link: CVE-2026-39710

cve-icon Vulnrichment

Updated: 2026-04-08T13:13:15.062Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:43.877

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:07Z

Weaknesses