Plataforma
wordpress
Componente
grandmagazine
Corrigido em
3.5.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Grand Magazine WordPress plugin, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users. This vulnerability affects versions from 0.0.0 through 3.5.5. A patch is available; upgrading is the recommended solution.
This CSRF vulnerability allows an attacker to craft malicious requests that, when triggered by a logged-in user of the Grand Magazine plugin, can modify site settings, create or delete content, or perform other actions that the user has permission to do. The attacker doesn't need to know the user's password, only that the user is logged in. The blast radius is limited to the scope of actions the user can perform within the plugin, but this could still have significant consequences depending on the user's role and privileges. Successful exploitation could lead to defacement, data modification, or unauthorized administrative access.
This vulnerability was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available. The CVSS score of 5.4 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the Grand Magazine WordPress plugin, particularly those with users who have administrative or content creation privileges, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected if one site is vulnerable and an attacker can leverage it to target other sites on the same server.
• wordpress / composer / npm:
grep -r 'grandmagazine/grandmagazine' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep grandmagazine• wordpress / composer / npm:
wp plugin update --alldisclosure
Status do Exploit
EPSS
0.01% (percentil 3%)
Vetor CVSS
The primary mitigation is to upgrade the Grand Magazine plugin to a version that includes the fix. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious CSRF tokens. Specifically, look for requests originating from different domains than the site itself. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious data from being injected into requests. After upgrading, verify the fix by attempting to trigger a CSRF attack and confirming that the request is blocked or ignored.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-39635 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0 through 3.5.5 of the Grand Magazine WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if your website uses the Grand Magazine plugin and is running a version between 0.0.0 and 3.5.5. Check your plugin versions immediately.
Upgrade the Grand Magazine plugin to the latest available version, which contains the fix for this vulnerability. Consider a WAF as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Check the official Grand Magazine plugin website or WordPress plugin repository for updates and security advisories related to CVE-2026-39635.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.