{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39635", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.490Z", "datePublished": "2026-04-08T08:30:29.823Z", "dateUpdated": "2026-04-08T08:30:29.823Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "grandmagazine", "product": "Grand Magazine", "vendor": "ThemeGoods", "versions": [{"lessThanOrEqual": "3.5.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.468Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.<p>This issue affects Grand Magazine: from n/a through <= 3.5.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:29.823Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5."}], "id": "CVE-2026-39635", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:34.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "grand_magazine", "vendor": "themegoods"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:11:06.626937+00:00", "value": {"mitigation_remediation": ["Update the Grand Magazine theme to a version newer than 3.5.5 from ThemeGoods.", "Restrict theme configuration and content\u2011editing rights to administrators only.", "If an update cannot be applied immediately, deactivate or remove the Grand Magazine theme until a fix is available.", "Monitor site logs for anomalous changes and audit user activity regularly."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Grand Magazine theme from ThemeGoods, specifically any release up to and including 3.5.5, are affected. The issue manifests whenever the theme's administrative or front\u2011end interfaces lack proper CSRF tokens for POST requests. No other themes or plugins are reported as impacted.", "description_and_impact": "A cross\u2011site request forgery flaw in the Grand Magazine theme, version 3.5.5 and earlier, allows an attacker to trick authenticated users into sending unintended state\u2011changing requests. The missing CSRF protection means that malicious links or embedded forms can force site owners to perform actions such as editing content or modifying theme settings. This attack path is a classic example of CWE\u2011352 and does not grant direct code execution but can lead to data tampering or configuration changes.", "risk_and_exploitability": "The CVSS score is not provided and EPSS data is unavailable; however, CSRF vulnerabilities are typically exploitable through social engineering or malicious URLs and only require an authenticated session. While the flaw is not listed in CISA's KEV catalog and no public exploit code is disclosed, the potential for unauthorized changes is significant. Site owners should therefore update promptly and reduce the attack surface by limiting administrative privileges."}}}}, "created": "2026-04-08T19:41:40.178107+00:00", "updated": "2026-04-09T08:22:06.902246+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$grand_magazine", "wordpress", "wordpress$PRODUCT$wordpress"]}