Platform
wordpress
Component
busiprof
Fixed in
2.5.3
CVE-2026-39619 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Busiprof, a software component. This vulnerability allows an attacker to upload a malicious web shell to a web server, potentially leading to complete system compromise. The vulnerability affects versions from 0.0.0 through 2.5.2, and a patch is available in version 2.5.3.
The primary impact of CVE-2026-39619 is the ability for an attacker to execute arbitrary code on the affected web server. By leveraging the CSRF vulnerability, an attacker can trick a legitimate user into unknowingly triggering the web shell upload. Once the web shell is deployed, the attacker gains remote code execution capabilities, enabling them to modify files, steal sensitive data, install malware, or pivot to other systems on the network. The blast radius extends to any data stored or processed by the web server, and the attacker could potentially gain full control of the underlying infrastructure.
The vulnerability was published on 2026-04-08. Exploitation context is currently limited, and no public Proof-of-Concept (POC) code has been widely reported. The CVSS score of 9.6 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It is recommended to prioritize remediation due to the potential for severe consequences.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The recommended mitigation for CVE-2026-39619 is to immediately upgrade Busiprof to version 2.5.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation on file upload endpoints and implementing CSRF protection mechanisms like double-submit cookies or SameSite cookies. Web Application Firewalls (WAFs) configured to detect and block suspicious file uploads can also provide a layer of defense. Monitor web server logs for unusual file uploads or execution attempts.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39619 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Busiprof versions 0.0.0–2.5.2. It allows attackers to upload a web shell, potentially leading to remote code execution.
Yes, if you are running Busiprof versions 0.0.0 through 2.5.2, you are affected by this vulnerability. Immediately assess your systems and apply the necessary updates.
The recommended fix is to upgrade Busiprof to version 2.5.3 or later. If upgrading is not possible, implement temporary workarounds like input validation and CSRF protection.
While no widespread exploitation has been publicly reported, the high CVSS score indicates a high probability of exploitation. Proactive remediation is strongly advised.
Refer to the Busiprof official website or security advisory channels for the most up-to-date information and guidance regarding CVE-2026-39619.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.