CVE-2026-39633

Vulnerability

Overview

The Grand Car Rental WordPress theme, developed by ThemeGoods, contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 3.6.9 [1]. This flaw arises from insufficient validation of request origins, enabling an attacker to craft malicious requests that are executed under the authentication of a higher-privileged user [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially designed form while authenticated to the WordPress site [1]. No additional privileges are needed from the attacker beyond the ability to deliver the crafted payload to the victim [1].

Impact

Successful exploitation allows an attacker to force the victim to perform unintended actions under their current session, such as changing settings, creating new admin accounts, or modifying content [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has not yet released a patched version; users are advised to update the theme as soon as a fix becomes available [1 becomes available [1]. As an immediate workaround, site owners should contact their hosting provider or web developer for assistance in applying temporary protections, such as implementing additional CSRF tokens or using a Web Application Firewall (WAF) [1].