平台
wordpress
组件
grandmagazine
修复版本
3.5.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Grand Magazine WordPress plugin, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users. This vulnerability affects versions from 0.0.0 through 3.5.5. A patch is available; upgrading is the recommended solution.
This CSRF vulnerability allows an attacker to craft malicious requests that, when triggered by a logged-in user of the Grand Magazine plugin, can modify site settings, create or delete content, or perform other actions that the user has permission to do. The attacker doesn't need to know the user's password, only that the user is logged in. The blast radius is limited to the scope of actions the user can perform within the plugin, but this could still have significant consequences depending on the user's role and privileges. Successful exploitation could lead to defacement, data modification, or unauthorized administrative access.
This vulnerability was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available. The CVSS score of 5.4 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the Grand Magazine WordPress plugin, particularly those with users who have administrative or content creation privileges, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected if one site is vulnerable and an attacker can leverage it to target other sites on the same server.
• wordpress / composer / npm:
grep -r 'grandmagazine/grandmagazine' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep grandmagazine• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.01% (3% 百分位)
CVSS 向量
The primary mitigation is to upgrade the Grand Magazine plugin to a version that includes the fix. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious CSRF tokens. Specifically, look for requests originating from different domains than the site itself. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious data from being injected into requests. After upgrading, verify the fix by attempting to trigger a CSRF attack and confirming that the request is blocked or ignored.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-39635 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0 through 3.5.5 of the Grand Magazine WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if your website uses the Grand Magazine plugin and is running a version between 0.0.0 and 3.5.5. Check your plugin versions immediately.
Upgrade the Grand Magazine plugin to the latest available version, which contains the fix for this vulnerability. Consider a WAF as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Check the official Grand Magazine plugin website or WordPress plugin repository for updates and security advisories related to CVE-2026-39635.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。