{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39619", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:25.868Z", "dateUpdated": "2026-04-29T09:52:02.646Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "busiprof", "product": "Busiprof", "vendor": "priyanshumittal", "versions": [{"lessThanOrEqual": "2.5.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.712Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.<p>This issue affects Busiprof: from n/a through <= 2.5.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.646Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/busiprof/vulnerability/wordpress-busiprof-theme-2-5-2-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Busiprof theme <= 2.5.2 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:41:01.715781Z", "id": "CVE-2026-39619", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:41:28.031Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T20:41:01.715781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:40:48.807Z"}}], "cna": {"title": "WordPress Busiprof theme <= 2.5.2 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "affected": [{"vendor": "priyanshumittal", "product": "Busiprof", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.2"}], "packageName": "busiprof", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:38.712Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/busiprof/vulnerability/wordpress-busiprof-theme-2-5-2-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.<p>This issue affects Busiprof: from n/a through <= 2.5.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:25.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39619", "state": "PUBLISHED", "dateUpdated": "2026-04-09T20:41:28.031Z", "dateReserved": "2026-04-07T10:57:27.974Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:25.868Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2."}], "id": "CVE-2026-39619", "lastModified": "2026-04-24T18:06:58.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:31.873", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/busiprof/vulnerability/wordpress-busiprof-theme-2-5-2-cross-site-request-forgery-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Busiprof", "source": "cna", "vendor": "priyanshumittal"}, "product": "busiprof", "vendor": "priyanshumittal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T00:25:01.366565+00:00", "value": {"mitigation_remediation": ["Upgrade the Busiprof theme to the latest available version beyond 2.5.2 if a patched release is released.", "If an upgrade cannot be performed immediately, disable the file\u2011upload functionality in the theme or restrict uploads using WordPress settings.", "Configure the upload directory so that uploaded files cannot be executed, for example by setting appropriate permissions or adding an .htaccess rule to deny execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use the Busiprof theme version 2.5.2 or earlier are vulnerable. Affected installations include any instance where the theme has not yet been updated beyond the specified version.", "description_and_impact": "The Busiprof WordPress theme contains a Cross\u2011Site Request Forgery flaw that permits an attacker to upload arbitrary files, including web shells, to the site\u2019s server. This enables the attacker to execute code with the web server\u2019s privileges, effectively compromising the website. The weakness is classified as CWE\u2011352.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 9.6, placing it in the critical range and indicating that successful exploitation would result in complete compromise. The EPSS probability is below 1\u202f%, suggesting that exploit attempts are currently rare, and the issue is not listed in CISA\u2019s KEV catalog. The likely attack vector is a forged request from a user who has permission to upload files, such as a content editor or administrator, who is tricked into submitting a malicious payload. Once the request is processed, the attacker can place a web shell in the upload directory and execute arbitrary code."}}}}, "created": "2026-04-08T19:29:40.549180+00:00", "updated": "2026-04-10T09:40:58.484374+00:00", "vendors": ["priyanshumittal", "priyanshumittal$PRODUCT$busiprof", "wordpress", "wordpress$PRODUCT$wordpress"]}