{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39633", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.490Z", "datePublished": "2026-04-08T08:30:29.018Z", "dateUpdated": "2026-04-08T08:30:29.018Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "grandcarrental", "product": "Grand Car Rental", "vendor": "ThemeGoods", "versions": [{"lessThanOrEqual": "3.6.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.540Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.<p>This issue affects Grand Car Rental: from n/a through <= 3.6.9.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:29.018Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandcarrental/vulnerability/wordpress-grand-car-rental-theme-3-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Grand Car Rental theme <= 3.6.9 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9."}], "id": "CVE-2026-39633", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:33.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandcarrental/vulnerability/wordpress-grand-car-rental-theme-3-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.6.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Grand Car Rental", "source": "cna", "vendor": "ThemeGoods"}, "product": "grand_car_rental", "vendor": "themegoods"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T11:07:32.541936+00:00", "value": {"mitigation_remediation": ["Upgrade the Grand Car Rental theme to a version newer than 3.6.9 that includes the CSRF fix. If upgrade is not possible, restrict administrative access to trusted users and consider using HTTP authentication or IP whitelisting for the admin area. Monitor site logs for abnormal request patterns."], "summary": {"action": "Patch", "impact": "Unauthorized request exploitation"}, "threat_synthesis": {"affected_systems": "WordPress sites that use any version of the Grand Car Rental theme up to and including 3.6.9 are affected. The flaw exists in all releases in this version range, and there is no mitigation other than updating the theme.", "description_and_impact": "A Cross\u2011Site Request Forgery flaw in the Grand Car Rental WordPress theme allows an attacker to submit forged requests that the site processes as legitimate. This can enable the attacker to perform privileged actions on the site without the user\u2019s explicit consent. The weakness arises because the theme does not properly verify the origin of certain requests.", "risk_and_exploitability": "The flaw carries a potential impact on confidentiality, integrity, and availability by permitting unauthorized configuration changes or content manipulation. No exploit probability score is available, and the issue is not listed in the known\u2011exploit vulnerability catalog. Likely attackers would target authenticated administrators, driving them to a malicious site that submits the forged request. Attack requires only a web request and does not depend on privileged access beyond that provided by the site\u2019s existing authentication."}}}}, "created": "2026-04-08T19:29:25.711509+00:00", "updated": "2026-04-08T19:41:42.122678+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$grand_car_rental", "wordpress", "wordpress$PRODUCT$wordpress"]}