CVE-2026-8423

JaviBola Custom Theme Test <= 2.0.5 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)

4.3

CVSS Score

4.3

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=2.0.5

PublishedMay 19, 2026

Last updatedMay 20, 2026

Affected pluginjavibola-custom-theme

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-8423 (JaviBola Custom Theme Test) ## 1. Vulnerability Summary The **JaviBola Custom Theme Test** plugin (<= 2.0.5) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin allows administrators to select and "test" different themes by updating a…

Show full research plan

Exploitation Research Plan - CVE-2026-8423 (JaviBola Custom Theme Test)

1. Vulnerability Summary

The JaviBola Custom Theme Test plugin (<= 2.0.5) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin allows administrators to select and "test" different themes by updating a plugin-specific option, jbct_theme. However, the code responsible for processing the update fails to perform nonce validation (via check_admin_referer or wp_verify_nonce). An attacker can trick a logged-in administrator into submitting a forged request, leading to an unauthorized change of the site's active theme or the plugin's "test" theme configuration.

2. Attack Vector Analysis

Vulnerable Endpoint: /wp-admin/admin.php or /wp-admin/options-general.php (specific slug is likely javibola-custom-theme).
HTTP Method: POST
Authentication: Required (Administrator victim session).
Vulnerable Parameter: jbct_theme (The value representing the theme slug).
Preconditions: An administrator must be logged into the WordPress dashboard and be tricked into visiting a malicious URL or auto-submitting an HTML form.

3. Code Flow (Inferred)

Hook Registration: The plugin likely registers an admin menu page via add_options_page or add_menu_page with a slug like javibola-custom-theme.
Setting Update Logic: Within the menu callback function or an admin_init hook, the plugin checks for the presence of $_POST['jbct_theme'].

Vulnerable Sink:

if ( isset( $_POST['jbct_theme'] ) ) {
    // Missing: check_admin_referer('jbct_action_nonce');
    update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );
    // The plugin may then call switch_theme() or use a filter to swap themes.
}

Failure: Because no nonce check is present, any POST request containing jbct_theme sent to the admin context will trigger the update if the user has sufficient permissions.

4. Nonce Acquisition Strategy

According to the vulnerability description, the plugin lacks nonce validation.

If missing: No nonce is required in the exploit payload.
If incorrect/bypassable: If the code uses a generic nonce (like -1) or doesn't check the return value of wp_verify_nonce, the exploit will simply omit the nonce or provide a dummy value.

To confirm the absence of a nonce:

Navigate to the plugin settings page: browser_navigate("/wp-admin/options-general.php?page=javibola-custom-theme").
Inspect the HTML form for a hidden field named _wpnonce or similar.
If a nonce exists but the CVE states it is missing/incorrect, try the exploit without the parameter.

5. Exploitation Strategy

The goal is to change the jbct_theme option to a target theme (e.g., twentytwentyfour).

Step-by-Step Plan:

Identify Target Theme: Use wp theme list to find an installed theme slug that is not currently active.
Simulate Admin Request: Since this is a PoC in an isolated environment, use the http_request tool with the administrator's cookies to send a POST request without a nonce.
Payload:
- URL: https://[TARGET]/wp-admin/options-general.php?page=javibola-custom-theme (inferred slug)
- Method: POST
- Headers: Content-Type: application/x-www-form-urlencoded
- Body: jbct_theme=[TARGET_THEME_SLUG]&submit=Save+Changes

6. Test Data Setup

Install Plugin: wp plugin install javibola-custom-theme --version=2.0.5 --activate
Identify Current Theme: wp theme list --status=active
Prepare Target: Ensure at least two themes are installed (e.g., twentytwentythree and twentytwentyfour).

7. Expected Results

The server should return a 302 Redirect or a 200 OK indicating the settings were saved.
The WordPress option jbct_theme in the wp_options table should be updated to the value provided in the payload.
If the plugin applies the theme immediately, the site frontend should render using the new theme.

8. Verification Steps

After sending the http_request, verify the change using WP-CLI:

Check Option: wp option get jbct_theme
Check Active Theme: wp theme list --status=active (to see if the plugin actually switched the site's active theme).
Confirm Result: Compare the output of wp option get jbct_theme with the payload value.

9. Alternative Approaches

If the settings page slug differs or the update logic is triggered via AJAX:

Check AJAX Handlers: grep -rn "wp_ajax" wp-content/plugins/javibola-custom-theme/
Search for option name: grep -rn "jbct_theme" wp-content/plugins/javibola-custom-theme/ to find the exact file and hook processing the request.
Check admin_post: If the form targets admin-post.php, the action parameter will be required: action=jbct_save_settings&jbct_theme=....

Research Findings

Static analysis — not yet PoC-verified

Summary

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.0.5. This occurs because the plugin fails to perform nonce validation when processing settings updates, allowing attackers to change the site's configured test theme by tricking an administrator into making a forged request.

Vulnerable Code

// File: wp-content/plugins/javibola-custom-theme/javibola-custom-theme.php (estimated location)

if ( isset( $_POST['jbct_theme'] ) ) {
    // Vulnerability: No check_admin_referer() or wp_verify_nonce() call here
    update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );
}

Security Fix

--- a/wp-content/plugins/javibola-custom-theme/javibola-custom-theme.php
+++ b/wp-content/plugins/javibola-custom-theme/javibola-custom-theme.php
@@ -1,5 +1,6 @@
 if ( isset( $_POST['jbct_theme'] ) ) {
+    check_admin_referer( 'jbct_save_settings', 'jbct_nonce' );
     update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );
 }

Exploit Outline

The exploit targets the plugin's administrative settings page which lacks CSRF protection. An attacker can use an external site or a malicious HTML email to force an administrator's browser to send a POST request to the WordPress admin panel. - Endpoint: /wp-admin/options-general.php?page=javibola-custom-theme (or the plugin's specific menu slug) - Method: POST - Payload Shape: jbct_theme=[TARGET_THEME_SLUG]&submit=Save+Changes - Authentication: Requires the victim to have an active session with Administrator privileges. Because the plugin does not verify a nonce, it will process the `update_option` call for any POST request containing the `jbct_theme` parameter, successfully changing the site's theme configuration.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/68a8a277-2ea6-4d75-b8cd-4d20eb17b3aa?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database