CVE-2026-39617
Published: 08 April 2026
Summary
CVE-2026-39617 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 mandates session authenticity mechanisms like CSRF tokens to prevent forged requests tricking authenticated users into arbitrary plugin installations.
SI-2 requires timely flaw remediation through patching vulnerable Bluestreet theme versions up to 1.7.3 to eliminate the CSRF vulnerability.
SI-4 enables monitoring of system activities to detect unauthorized plugin installations resulting from successful CSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress theme directly enables exploitation via T1190 (Exploit Public-Facing Application) by allowing forged requests to install arbitrary plugins; this facilitates T1505.003 (Web Shell) as malicious plugins can be installed for code execution and persistence.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.
Deeper analysisAI
CVE-2026-39617 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Bluestreet WordPress theme developed by priyanshumittal. The issue affects Bluestreet versions from unknown initial release through 1.7.3. Published on 2026-04-08, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.
Remote attackers require no privileges (PR:N) but need to trick an authenticated user, typically an administrator, into interacting with a malicious webpage (UI:R). This enables forged requests over the network (AV:N) with low complexity (AC:L), leading to arbitrary plugin installation on the target WordPress site. Exploitation changes scope (S:C), granting high-impact control that could facilitate further compromise, such as code execution or persistent access.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) documents the CSRF-to-arbitrary-plugin-installation vector in Bluestreet 1.7.3. Security practitioners should verify for patched versions beyond 1.7.3, apply updates promptly, implement CSRF tokens in custom themes, and monitor for unauthorized plugin changes.
Details
- CWE(s)