CVE-2026-27741 MEDIUM

CVE-2026-27741: Bludit <= 3.16.1 CSRF in Plugin and Theme Management Endpoints

Vendor Bludit
Product Bludit
Weakness CWE-352 · CSRF
Published February 23, 2026
Last update March 5, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-30462 WordPress HUSKY plugin <= 1.3.5.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-43117 WordPress Hummingbird plugin <= 3.9.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2020-37144 Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin) CVE-2025-28881 WordPress Mobile Themes plugin <= 1.1.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-51653 WordPress UPDATE NOTIFICATIONS plugin <= 0.3.4 - CSRF to Stored Cross Site Scripting (XSS) vulnerability