CVE-2026-39634

Vulnerability

Overview A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the Grand Portfolio theme by ThemeGoods, affecting versions from n/a from n/a through 3.3 [1]. The issue stems from insufficient validation of request origins, allowing an attacker to craft malicious requests that are executed in the context of an authenticated administrator [1].

Exploitation

Details Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a form while authenticated to the WordPress admin panel. No direct authentication is needed for the attacker, but the victim must have an active session. The attack surface is the WordPress admin interface, where the theme processes state-changing actions without proper CSRF tokens [1].

Impact

Successful exploitation could allow an attacker to force a higher-privileged user (e.g., administrator) to perform unwanted actions under their current authentication, such as modifying theme settings, injecting malicious content, or creating new admin accounts. This can lead to full site compromise if chained with other vulnerabilities [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to update the theme immediately if a fix becomes available, or to contact their hosting provider for assistance. As a workaround, implement additional CSRF protections via a Web Application Firewall (WAF) or custom code. This vulnerability is noted as being used in mass-exploit campaigns, so prompt action is recommended [1].