{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39617", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:25.380Z", "dateUpdated": "2026-04-09T14:52:06.074Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bluestreet", "product": "Bluestreet", "vendor": "priyanshumittal", "versions": [{"lessThanOrEqual": "1.7.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.865Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.<p>This issue affects Bluestreet: from n/a through <= 1.7.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.380Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve"}], "title": "WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:51:51.422751Z", "id": "CVE-2026-39617", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:52:06.074Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39617", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:51:51.422751Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:51:46.350Z"}}], "cna": {"title": "WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "affected": [{"vendor": "priyanshumittal", "product": "Bluestreet", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.3"}], "packageName": "bluestreet", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:37.865Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.<p>This issue affects Bluestreet: from n/a through <= 1.7.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.380Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39617", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:52:06.074Z", "dateReserved": "2026-04-07T10:57:27.974Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:25.380Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3."}], "id": "CVE-2026-39617", "lastModified": "2026-04-09T16:16:28.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:31.600", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/bluestreet/vulnerability/wordpress-bluestreet-theme-1-7-3-cross-site-request-forgery-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Bluestreet", "source": "cna", "vendor": "priyanshumittal"}, "product": "bluestreet", "vendor": "priyanshumittal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T11:07:48.033664+00:00", "value": {"mitigation_remediation": ["Upgrade the Bluestreet theme to a version newer than 1.7.3.", "If upgrading is not immediately possible, deactivate or remove the Bluestreet theme to eliminate the attack surface.", "After applying a fix, review and delete any plugins that may have been installed through CSRF exploitation.", "Restrict the ability to install plugins to administrator accounts only and monitor install logs for suspicious activity."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Plugin Installation via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Bluestreet theme by Priyanshu Mittal with a version of 1.7.3 or earlier are affected. No other vendors or products are listed in the CNA data, and no additional version ranges are specified beyond the upper bound of 1.7.3.", "description_and_impact": "This flaw is a cross\u2011site request forgery that permits an attacker to trigger the installation of any WordPress plugin on a site using the affected theme. The installation process can include malicious code, giving the attacker the same level of control that a legitimate plugin could provide. The weakness matches CWE\u2011352, the classic CSRF defect that allows unauthorized actions under a victim\u2019s authenticated session.", "risk_and_exploitability": "The necessary condition for exploitation is an authenticated user session with permission to install plugins, and the ability to click a specially crafted link that submits an installation request. Based on the description, it is inferred that the attacker must entice a user to visit the forged URL through social engineering or embedded links. Because the vulnerability is a standard CSRF pattern and the CAPABILITY to install plugins can be granted to non\u2011administrator accounts, the risk is high on sites with permissive install options. The CVSS score is not reported, the EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the potential for arbitrary code execution makes the threat significant."}}}}, "created": "2026-04-08T19:29:42.842868+00:00", "updated": "2026-04-08T19:41:59.540425+00:00", "vendors": ["priyanshumittal", "priyanshumittal$PRODUCT$bluestreet", "wordpress", "wordpress$PRODUCT$wordpress"]}