MEDIUM
javibola
CVE published 2026-05-20
CVE-2026-8423
The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.5. The vulnerability stems from missing or incorrect nonce validation on the plugin's options page, allowing unauthenticated attackers to change the site's active theme by modifying the `jbct_theme` option through a forged request. Successful exploitation requires [truncated]