{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:36.722Z", "datePublished": "2026-01-22T16:52:35.559Z", "dateUpdated": "2026-04-28T16:53:22.017Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pawfriends", "product": "PawFriends - Pet Shop and Veterinary WordPress Theme", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:11.139Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.<p>This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.384Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress PawFriends - Pet Shop and Veterinary WordPress Theme theme <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:11:23.547322Z", "id": "CVE-2026-22382", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:53:22.017Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:36.722Z", "datePublished": "2026-01-22T16:52:35.559Z", "dateUpdated": "2026-04-28T16:53:22.017Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pawfriends", "product": "PawFriends - Pet Shop and Veterinary WordPress Theme", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:11.139Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.<p>This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.384Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress PawFriends - Pet Shop and Veterinary WordPress Theme theme <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:11:23.547322Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:11:18.673Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el tema de WordPress Mikado-Themes PawFriends - Pet Shop and Veterinary pawfriends permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta al tema de WordPress PawFriends - Pet Shop and Veterinary: desde n/a hasta &lt;= 1.3."}], "id": "CVE-2026-22382", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:32.233", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:57:46.722312+00:00", "value": {"mitigation_remediation": ["Install the latest patched PawFriends theme that eliminates the CSRF flaw.", "If an update cannot be applied immediately, temporarily deactivate the theme until the patch is available or switch to a secure alternative.", "After updating, verify that CSRF protection is in place by confirming that all form submissions include a valid nonce or similar token.", "Monitor administrative logs for suspicious activity and rotate any compromised credentials to reduce the impact of a potential breach."], "summary": {"action": "Patch Theme", "impact": "Unauthorized state changes via CSRF"}, "threat_synthesis": {"affected_systems": "The problem impacts the Mikado\u2011Themes PawFriends \u2013 Pet Shop and Veterinary WordPress Theme for all releases up to and including version\u202f1.3. Users running those versions are susceptible; no other products are mentioned as affected.", "description_and_impact": "The vulnerability is a classic Cross\u2011Site Request Forgery flaw that allows a malicious actor to force an authenticated user, such as a site administrator, to perform actions the user did not intend. The issue arises because the PawFriends theme does not validate the origin of certain requests, so a crafted link or script can change content, delete posts, or alter theme settings. Based on the description, it is inferred that any action that modifies site data or configuration could be performed without user consent, representing a moderate\u2011severity weakness classified as CWE\u2011352.", "risk_and_exploitability": "With a CVSS score of 5.4 the vulnerability carries moderate severity, while the EPSS figure of less than 1\u202f% suggests that exploitation is unlikely but not impossible. The likely attack vector is a browser\u2011based CSRF scenario that requires the victim to be logged into the WordPress admin area. Because the exploit does not require authentication to the theme itself, any user with administrative privileges can be coerced to trigger the malicious request. The consequence of unauthorized state changes can be significant for sites that host customer data or e\u2011commerce features, though the overall risk remains moderate due to the low exploitation probability."}}}}, "created": "2026-01-23T16:28:19.642864+00:00", "updated": "2026-04-16T18:00:11.186854+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$pawfriends_-_pet_shop_and_veterinary_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}