Platform
wordpress
Component
rt18-extensions
Fixed in
2.5.4
CVE-2026-39710 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the RT-Theme 18 | Extensions plugin for WordPress. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 through 2.5, and a patch is available in version 2.5.4.
A successful CSRF attack could allow an attacker to modify user profiles, change settings, or perform other actions as the logged-in user without their knowledge or consent. The impact is particularly severe if the plugin has administrative privileges or handles sensitive data. Attackers could craft malicious links or embed them in emails or websites to trick users into triggering these actions. The blast radius extends to any user of the affected plugin, especially those with elevated privileges.
This vulnerability was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available. The CVSS score of 5.4 (Medium) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
The primary mitigation is to upgrade the RT-Theme 18 | Extensions plugin to version 2.5.4 or later. If upgrading immediately is not possible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) can also be configured to filter out malicious requests based on patterns associated with CSRF attacks. After upgrading, confirm the vulnerability is resolved by attempting to trigger a sensitive action via a crafted URL and verifying that it fails.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39710 is a Cross-Site Request Forgery vulnerability in the RT-Theme 18 | Extensions WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using RT-Theme 18 | Extensions versions 0.0.0 through 2.5. Check your plugin versions and upgrade if necessary.
Upgrade the RT-Theme 18 | Extensions plugin to version 2.5.4 or later. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There are currently no known active exploits for CVE-2026-39710, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official RT-Theme 18 | Extensions documentation and WordPress plugin repository for updates and advisories related to CVE-2026-39710.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.