{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39618", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:25.559Z", "dateUpdated": "2026-04-08T08:30:25.559Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "newsexo", "product": "NewsExo", "vendor": "themearile", "versions": [{"lessThanOrEqual": "7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.427Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.<p>This issue affects NewsExo: from n/a through <= 7.1.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.559Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/newsexo/vulnerability/wordpress-newsexo-theme-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress NewsExo theme <= 7.1 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1."}], "id": "CVE-2026-39618", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:31.730", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/newsexo/vulnerability/wordpress-newsexo-theme-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NewsExo", "source": "cna", "vendor": "themearile"}, "product": "newsexo", "vendor": "themearile"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:40:16.747213+00:00", "value": {"mitigation_remediation": ["Update the NewsExo theme to the latest version (\u22657.2).", "Back up the site before performing the update.", "Remove or replace the vulnerable theme if it is no longer needed.", "Verify that the new version includes proper CSRF protection and that nonces or other anti\u2011CSRF mechanisms are active."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via CSRF"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are all NewsExo releases up to and including 7.1. Sites running any of these versions are at risk. The vulnerability does not affect newer releases beyond 7.1, so upgrading past this point removes the risk. The issue is present in the default installation of the theme, not requiring additional configuration.", "description_and_impact": "The NewsExo WordPress theme contains a CSRF vulnerability that allows an attacker to craft a request that a legitimate user will inadvertently submit. This can lead to unauthorized changes within the site, such as modifying settings, posting content, or performing actions that the user has permission for. The weakness is a missing or improperly validated anti\u2011CSRF token, represented by CWE\u2011352.", "risk_and_exploitability": "The severity is considered high due to the potential for an attacker to cause arbitrary actions on behalf of an authenticated user. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector involves a malicious link or embedded form that the target user clicks or submits, sending a forged request to the site. Because the flaw does not require local execution or privileged access, it can be exploited remotely with minimal effort once a user visits the malicious page."}}}}, "created": "2026-04-08T19:29:41.675616+00:00", "updated": "2026-04-08T19:41:58.479979+00:00", "vendors": ["themearile", "themearile$PRODUCT$newsexo", "wordpress", "wordpress$PRODUCT$wordpress"]}