CVE-2026-39640
Published: 08 April 2026
Summary
CVE-2026-39640 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CSRF by enforcing session authenticity mechanisms such as anti-CSRF tokens on state-changing operations like theme editing.
Validates and sanitizes user inputs to prevent arbitrary code injection even if a CSRF request bypasses session checks.
Ensures timely remediation of the specific CSRF-to-RCE flaw in Theme Editor plugin versions through <= 3.2 by applying patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of T1190 by allowing remote unauthenticated attackers to trigger code injection leading to RCE. The attack requires tricking an authenticated user into interacting with a malicious webpage or link, mapping to T1204.001.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Deeper analysisAI
CVE-2026-39640 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Theme Editor WordPress plugin developed by mndpsingh287. The flaw enables code injection and affects the plugin from unknown initial versions through version 3.2 inclusive. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and cross-scope impacts on confidentiality, integrity, and availability.
Attackers can exploit this vulnerability remotely without authentication by tricking a logged-in WordPress user—such as an administrator—into interacting with a malicious webpage or resource. This user interaction triggers the CSRF-protected action, allowing the attacker to inject and execute arbitrary code on the vulnerable site, potentially leading to remote code execution.
The Patchstack advisory provides further details on this CSRF-to-remote-code-execution issue in Theme Editor version 3.2, available at https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability?_s_id=cve.
Details
- CWE(s)