CVE-2026-8423
4.3 MEDIUMThe JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5
Published: 2026-05-20 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-352
Description
The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8423
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L40
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L41
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L54
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L40
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L41
- [Other]https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L54
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/68a8a277-2ea6-4d75-b8cd-4d20eb17b3aa?source=cve
Related CVEs
Same CWE
- CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
- CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
- CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
- CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)
- CVE-2016-20067 — WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on beh... (4.3 MEDIUM)