{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39621", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:26.321Z", "dateUpdated": "2026-04-08T08:30:26.321Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "spicepress", "product": "SpicePress", "vendor": "spicethemes", "versions": [{"lessThanOrEqual": "2.3.2.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.757Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.<p>This issue affects SpicePress: from n/a through <= 2.3.2.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:26.321Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/spicepress/vulnerability/wordpress-spicepress-theme-2-3-2-5-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve"}], "title": "WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5."}], "id": "CVE-2026-39621", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.270", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/spicepress/vulnerability/wordpress-spicepress-theme-2-3-2-5-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.2.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SpicePress", "source": "cna", "vendor": "spicethemes"}, "product": "spicepress", "vendor": "spicethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:39:30.290055+00:00", "value": {"mitigation_remediation": ["Update the SpicePress theme to the latest available release (2.3.2.6 or later).", "If an update cannot be applied immediately, disable or remove the plugin upload interface or restrict it to trusted administrators only.", "Ensure all upload endpoints include proper CSRF tokens and verify file types before saving.", "Review and restrict user roles so that only necessary users have permission to install plugins.", "Observe server logs for unexpected uploads or shell\u2011like files and block them promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Web Shell"}, "threat_synthesis": {"affected_systems": "WordPress sites using the SpicePress theme from any version up to and including 2.3.2.5 are affected. The vulnerability is present in the theme component supplied by spicethemes. The issue exists regardless of other themes or plugins being present.", "description_and_impact": "The SpicePress theme contains a Cross\u2011Site Request Forgery flaw that lets an unauthenticated attacker trick an authenticated WordPress user into uploading a web shell through the plugin installation interface. This flaw enables the attacker to gain full administrative access to the site and execute arbitrary code on the server, compromising confidentiality, integrity and availability. The weakness is identified as CWE\u2011352.", "risk_and_exploitability": "The vulnerability can be exploited by sending a crafted request to a user who is logged in and has permission to install plugins. An attacker does not need additional privilege escalation beyond the normal admin context, making the attack path straightforward. No formal CVSS or EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because of the potential for remote code execution, the risk to affected sites is high if no countermeasures are applied."}}}}, "created": "2026-04-08T19:29:38.448962+00:00", "updated": "2026-04-08T19:41:55.304080+00:00", "vendors": ["spicethemes", "spicethemes$PRODUCT$spicepress", "wordpress", "wordpress$PRODUCT$wordpress"]}