CVE-2026-39617
Published: 08 April 2026
Summary
CVE-2026-39617 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39617 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Bluestreet WordPress theme developed by priyanshumittal. The issue affects Bluestreet versions from unknown initial release through 1.7.3. Published on 2026-04-08, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.
Remote attackers require no privileges (PR:N) but need to trick an authenticated user, typically an administrator, into interacting with a malicious webpage (UI:R). This enables forged requests over the network (AV:N) with low complexity (AC:L), leading to arbitrary plugin installation on the target WordPress site. Exploitation changes scope (S:C), granting high-impact control that could facilitate further compromise, such as code execution or persistent access.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) documents the CSRF-to-arbitrary-plugin-installation vector in Bluestreet 1.7.3. Security practitioners should verify for patched versions beyond 1.7.3, apply updates promptly, implement CSRF tokens in custom themes, and monitor for unauthorized plugin changes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20257
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress theme directly enables exploitation via T1190 (Exploit Public-Facing Application) by allowing forged requests to install arbitrary plugins; this facilitates T1505.003 (Web Shell) as malicious plugins can be installed for code execution and persistence.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates session authenticity mechanisms like CSRF tokens to prevent forged requests tricking authenticated users into arbitrary plugin installations.
SI-2 requires timely flaw remediation through patching vulnerable Bluestreet theme versions up to 1.7.3 to eliminate the CSRF vulnerability.
SI-4 enables monitoring of system activities to detect unauthorized plugin installations resulting from successful CSRF exploitation.