CVE-2026-39619
Published: 08 April 2026
Summary
CVE-2026-39619 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the CSRF-to-file-upload flaw in the Busiprof WordPress theme.
Prevents CSRF exploitation of the vulnerable upload endpoint through mechanisms like anti-CSRF tokens to ensure session request authenticity.
Blocks arbitrary web shell uploads by validating all inputs to the vulnerable theme endpoint, rejecting malicious files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in a public-facing WordPress theme directly enables remote exploitation to upload and deploy a web shell, mapping to T1190 (Exploit Public-Facing Application) for initial access and T1505.003 (Web Shell) for the resulting server compromise and RCE capability.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.
Deeper analysisAI
CVE-2026-39619 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Busiprof WordPress theme developed by priyanshumittal. It affects versions from n/a through 2.5.2 and enables attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, lack of prerequisite privileges, required user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.
Attackers can exploit this remotely without authentication by tricking a user—typically an authenticated site administrator—into interacting with a malicious webpage or link. This user interaction triggers a forged request to the vulnerable Busiprof theme endpoint, resulting in the arbitrary upload of a web shell. Successful exploitation grants the attacker high-level control over the server, potentially leading to remote code execution, data theft, modification, or denial of service.
The Patchstack advisory documents this as a CSRF-to-arbitrary-file-upload vulnerability specifically in Busiprof theme version 2.5.2, providing details on the affected WordPress theme for further assessment.
Details
- CWE(s)