Description
Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.
Published: 2026-06-26
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Request Forgery (CSRF) enables an attacker to trick a logged‑in user into performing unintended actions within the WordPress Child Theme Wizard plugin. The flaw allows any user who is authenticated in WordPress to unknowingly execute commands that modify or persist data, potentially compromising site integrity and allowing further exploitation if sensitive operations are exposed through the plugin.

Affected Systems

The vulnerability affects the Child Theme Wizard WordPress plugin, version 1.4 and earlier, published by Jay Versluis. Users who have installed these plugin versions are at risk, regardless of the WordPress core version, since the plugin lacks proper CSRF protection.

Risk and Exploitability

The CVSS score of 8.2 classifies the issue as high severity, and the absence of an EPSS score indicates current known exploitation activity remains uncertain. The vulnerability is not listed in CISA’s KEV catalog, but the high severity and the nature of CSRF mean that an attacker can exploit it easily by hosting a malicious page that issues requests on behalf of a victim’s browser while they are logged into the site.

Generated by OpenCVE AI on June 26, 2026 at 17:40 UTC.

Remediation

Vendor Solution

Update the WordPress Child Theme Wizard Plugin to the latest available version (at least 1.5).

OpenCVE Recommended Actions

  • Update the Child Theme Wizard plugin to version 1.5 or later
  • If an immediate update is not possible, deactivate or uninstall the vulnerable plugin until a patch can be applied
  • Deploy a WordPress security plugin that enforces CSRF tokens on all state‑changing requests as a compensating control

Generated by OpenCVE AI on June 26, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.
Title WordPress Child theme Wizard plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:15:32.578Z

Reserved: 2026-06-25T08:03:24.124Z

Link: CVE-2026-57655

cve-icon Vulnrichment

Updated: 2026-06-26T20:15:28.085Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)