CVE-2026-39621
Published: 08 April 2026
Summary
CVE-2026-39621 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39621 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the SpicePress WordPress theme developed by spicethemes. The issue affects SpicePress versions from n/a through 2.3.2.5 and enables attackers to upload a web shell to a web server. It received a CVSS v3.1 base score of 8.8 (High), reflecting its network accessibility, low attack complexity, lack of required privileges, and high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by remote attackers with no authentication who trick an authenticated user—such as a site administrator—into interacting with a malicious webpage (UI:R). This user interaction triggers the CSRF, allowing the attacker to upload a web shell, potentially granting remote code execution, full server compromise, or persistence on the targeted WordPress site.
A Patchstack advisory details the vulnerability as a CSRF leading to arbitrary plugin installation in SpicePress theme version 2.3.2.5, available at https://patchstack.com/database/Wordpress/Theme/spicepress/vulnerability/wordpress-spicepress-theme-2-3-2-5-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve. Security practitioners should update to a patched version of the theme if available and implement CSRF protections such as tokens on administrative actions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20263
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress theme directly enables web shell upload via malicious link tricking admin (T1190, T1204.001, T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms like CSRF tokens, directly preventing forged requests that trick authenticated users into uploading web shells via this vulnerability.
SI-2 requires timely flaw remediation, including patching the specific CSRF vulnerability in SpicePress versions up to 2.3.2.5 to block web shell uploads.
SI-10 validates inputs on file uploads, mitigating web shell uploads even if CSRF bypasses session checks by rejecting malicious content.