Platform
wordpress
Component
bluestreet
Fixed in
1.7.4
CVE-2026-39617 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Bluestreet. This flaw allows attackers to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized data modification or account compromise. The vulnerability impacts Bluestreet versions from 0.0.0 up to and including 1.7.3. A fix is expected from the vendor.
A successful CSRF attack against Bluestreet could allow an attacker to perform actions on behalf of a logged-in user without their knowledge or consent. This could include modifying user profiles, changing settings, initiating transactions, or even deleting data. The impact is particularly severe if Bluestreet handles sensitive information or financial transactions. The CRITICAL CVSS score (9.6) reflects the ease of exploitation and the potential for significant damage. The attacker needs only to craft a malicious request and trick the user into clicking a link or visiting a compromised website.
CVE-2026-39617 was published on 2026-04-08. Exploitation probability is currently unknown, but CSRF vulnerabilities are frequently targeted. No public Proof-of-Concept (PoC) code has been identified at the time of writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Bluestreet.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The primary mitigation for CVE-2026-39617 is to upgrade Bluestreet to a version containing the security fix. Until a patched version is available, consider implementing temporary workarounds such as implementing strict input validation and output encoding to prevent malicious data from being processed. Consider using a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Implement anti-CSRF tokens on all sensitive actions to prevent unauthorized requests. After upgrading, verify the fix by attempting to trigger a CSRF attack and confirming that it is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39617 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Bluestreet versions 0.0.0 through 1.7.3. It allows attackers to trick authenticated users into performing unintended actions.
If you are using Bluestreet version 0.0.0 through 1.7.3, you are potentially affected by this vulnerability. Immediately assess your environment and apply the recommended mitigations.
The recommended fix is to upgrade to a patched version of Bluestreet as soon as it becomes available. Until then, implement workarounds like WAF rules and anti-CSRF tokens.
Currently, there are no confirmed reports of active exploitation. However, CSRF vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the Bluestreet project's official website or security advisory page for updates and announcements regarding this vulnerability. Check their GitHub repository for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.