Cyber Resilience

CVE-2026-39617

Critical

Published: 08 April 2026

Published
08 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 3.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39617 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39617 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Bluestreet WordPress theme developed by priyanshumittal. The issue affects Bluestreet versions from unknown initial release through 1.7.3. Published on 2026-04-08, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

Remote attackers require no privileges (PR:N) but need to trick an authenticated user, typically an administrator, into interacting with a malicious webpage (UI:R). This enables forged requests over the network (AV:N) with low complexity (AC:L), leading to arbitrary plugin installation on the target WordPress site. Exploitation changes scope (S:C), granting high-impact control that could facilitate further compromise, such as code execution or persistent access.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) documents the CSRF-to-arbitrary-plugin-installation vector in Bluestreet 1.7.3. Security practitioners should verify for patched versions beyond 1.7.3, apply updates promptly, implement CSRF tokens in custom themes, and monitor for unauthorized plugin changes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CSRF vulnerability in public-facing WordPress theme directly enables exploitation via T1190 (Exploit Public-Facing Application) by allowing forged requests to install arbitrary plugins; this facilitates T1505.003 (Web Shell) as malicious plugins can be installed for code execution and persistence.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37054Shared CWE-352
CVE-2025-11087Shared CWE-352
CVE-2026-39619Shared CWE-352
CVE-2024-11641Shared CWE-352
CVE-2025-23922Shared CWE-352
CVE-2026-39620Shared CWE-352
CVE-2018-25176Shared CWE-352
CVE-2026-33507Shared CWE-352
CVE-2024-13913Shared CWE-352
CVE-2026-3772Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates session authenticity mechanisms like CSRF tokens to prevent forged requests tricking authenticated users into arbitrary plugin installations.

prevent

SI-2 requires timely flaw remediation through patching vulnerable Bluestreet theme versions up to 1.7.3 to eliminate the CSRF vulnerability.

detect

SI-4 enables monitoring of system activities to detect unauthorized plugin installations resulting from successful CSRF exploitation.

References