{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39641", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.491Z", "datePublished": "2026-04-08T08:30:32.097Z", "dateUpdated": "2026-04-29T09:52:02.939Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "blackfyre", "product": "Blackfyre", "vendor": "Skywarrior", "versions": [{"lessThanOrEqual": "2.5.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.936Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.<p>This issue affects Blackfyre: from n/a through <= 2.5.4.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.939Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/blackfyre/vulnerability/wordpress-blackfyre-theme-2-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Blackfyre theme <= 2.5.4 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:38:49.826441Z", "id": "CVE-2026-39641", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:38:54.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress Blackfyre theme <= 2.5.4 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "affected": [{"vendor": "Skywarrior", "product": "Blackfyre", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.4"}], "packageName": "blackfyre", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:36.936Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/blackfyre/vulnerability/wordpress-blackfyre-theme-2-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.<p>This issue affects Blackfyre: from n/a through <= 2.5.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:32.097Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39641", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:38:49.826441Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T15:38:35.823Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-39641", "state": "PUBLISHED", "dateUpdated": "2026-04-08T08:30:32.097Z", "dateReserved": "2026-04-07T10:57:43.491Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:32.097Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4."}], "id": "CVE-2026-39641", "lastModified": "2026-04-29T10:17:35.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:34.930", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/blackfyre/vulnerability/wordpress-blackfyre-theme-2-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Blackfyre", "source": "cna", "vendor": "Skywarrior"}, "product": "blackfyre", "vendor": "skywarrior"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T17:53:18.931905+00:00", "value": {"mitigation_remediation": ["Upgrade the Blackfyre theme to a version newer than 2.5.4 where the CSRF flaw is fixed.", "If an upgrade cannot be performed immediately, restrict or disable state-changing actions for users who are not required to use them, or deploy a plugin that enforces CSRF nonces for protected forms.", "After applying a fix or workaround, test the site to confirm that forged requests can no longer modify site data."], "summary": {"action": "Apply Patch", "impact": "Cross-Site Request Forgery"}, "threat_synthesis": {"affected_systems": "Skywarrior\u2019s Blackfyre WordPress theme is affected. All releases up to and including version 2.5.4 are vulnerable. No specific patch release is documented in the report, but any installation of the theme at or below 2.5.4 is susceptible until the theme is updated.", "description_and_impact": "The Blackfyre theme for WordPress contains an unauthenticated Cross-Site Request Forgery (CSRF) weakness (CWE-352) that permits a remote attacker to cause a logged-in user to perform state-changing actions without their consent. The problem allows an attacker to force the victim to submit forged requests that can alter site configuration, publish or delete content, or otherwise exploit the privileges of the authenticated user. This can lead to data modification, loss of integrity, or unauthorized content changes.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 classifies the vulnerability as medium severity, while the EPSS value of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to lure a logged-in visitor to the site or place a crafted link on a trusted page; the attack vector is thus web-based and requires the victim\u2019s credentials. If exploited, the impact is limited to the permissions of the coerced user, but a privileged user could modify critical site settings or publish unwanted content."}}}}, "created": "2026-04-08T19:28:29.540581+00:00", "updated": "2026-04-10T09:40:47.627050+00:00", "vendors": ["skywarrior", "skywarrior$PRODUCT$blackfyre", "wordpress", "wordpress$PRODUCT$wordpress"]}