Plattform
wordpress
Komponente
rt18-extensions
Behoben in
2.5.4
CVE-2026-39710 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the RT-Theme 18 | Extensions plugin for WordPress. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 through 2.5, and a patch is available in version 2.5.4.
A successful CSRF attack could allow an attacker to modify user profiles, change settings, or perform other actions as the logged-in user without their knowledge or consent. The impact is particularly severe if the plugin has administrative privileges or handles sensitive data. Attackers could craft malicious links or embed them in emails or websites to trick users into triggering these actions. The blast radius extends to any user of the affected plugin, especially those with elevated privileges.
This vulnerability was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available. The CVSS score of 5.4 (Medium) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the RT-Theme 18 | Extensions plugin, particularly those with user accounts and sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially affect others.
• wordpress / composer / npm:
grep -r 'stmcan RT-Theme 18 | Extensions' /var/www/html/
wp plugin list | grep rt18-extensions• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/rt18-extensions/ | grep -i 'rt18-extensions'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade the RT-Theme 18 | Extensions plugin to version 2.5.4 or later. If upgrading immediately is not possible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) can also be configured to filter out malicious requests based on patterns associated with CSRF attacks. After upgrading, confirm the vulnerability is resolved by attempting to trigger a sensitive action via a crafted URL and verifying that it fails.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39710 is a Cross-Site Request Forgery vulnerability in the RT-Theme 18 | Extensions WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using RT-Theme 18 | Extensions versions 0.0.0 through 2.5. Check your plugin versions and upgrade if necessary.
Upgrade the RT-Theme 18 | Extensions plugin to version 2.5.4 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There are currently no known active exploits for CVE-2026-39710, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official RT-Theme 18 | Extensions documentation and WordPress plugin repository for updates and advisories related to CVE-2026-39710.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.