{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39634", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.490Z", "datePublished": "2026-04-08T08:30:29.207Z", "dateUpdated": "2026-04-08T08:30:29.207Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "grandportfolio", "product": "Grand Portfolio", "vendor": "ThemeGoods", "versions": [{"lessThanOrEqual": "3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.779Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.<p>This issue affects Grand Portfolio: from n/a through <= 3.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:29.207Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandportfolio/vulnerability/wordpress-grand-portfolio-theme-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Grand Portfolio theme <= 3.3 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3."}], "id": "CVE-2026-39634", "lastModified": "2026-04-08T09:16:34.020", "metrics": {}, "published": "2026-04-08T09:16:34.020", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandportfolio/vulnerability/wordpress-grand-portfolio-theme-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T10:11:32.747188+00:00", "value": {"mitigation_remediation": ["Update the Grand Portfolio theme to the latest released version (greater than 3.3).", "Verify that the theme version on the site is upgraded and that no legacy files remain in /wp-content/themes/grandportfolio.", "Check with ThemeGoods support or the official patch notes for any additional security fixes if the theme cannot be upgraded immediately."], "summary": {"action": "Patch Now", "impact": "Cross-Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw affects the ThemeGoods Grand Portfolio theme versions up to and including 3.3. WordPress sites that have installed any of those versions are at risk. No operating\u2011system or server component is directly mentioned; the issue resides entirely within the WordPress theme code.", "description_and_impact": "The Grand Portfolio theme for WordPress contains a CSRF weakness that allows an attacker to forge requests by tricking an authenticated user into executing unintended actions. This vulnerability is categorized as CWE\u2011352. If exploited, the attacker could influence the site\u2019s content or settings without the user\u2019s knowledge, potentially compromising the integrity and confidentiality of the site data.", "risk_and_exploitability": "Because the weakness is a classic CSRF flaw, it does not require elevated privileges or user interaction beyond visiting a crafted URL. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of a hardening recommendation suggests that the risk is moderate to high if the theme is still in use. An attacker could reset settings or post content, thereby affecting the availability and integrity of the site."}}}}, "created": "2026-04-08T19:41:41.139698+00:00", "updated": "2026-04-08T19:41:41.139741+00:00", "vendors": []}