How is CVE-2026-22342 exploited?

Network reachability (required): The attacker must reach the target WordPress site over the network; the vulnerable endpoint is exposed via standard HTTP/HTTPS. Authentication (not-required): No account or credentials are needed on the target site; the attack is launched entirely from an unauthenticated position. Victim interaction (required): A logged-in WordPress user must be socially engineered into visiting a malicious page or clicking a crafted link that triggers the forged request. Attack complexity (info): The exploit is reliable and condition-free once the victim interacts; no race conditions, special memory layout, or environmental factors are required.

What is the impact of CVE-2026-22342?

A successful attack allows the attacker to take over the victim's WordPress account, gaining full control of the account's session and permissions. With high integrity impact, the attacker can modify persisted site content, user data, and plugin or theme settings under the victim's identity. With high confidentiality impact, the attacker can read stored user profile data, private messages, and any session credentials accessible to the compromised account. With high availability impact, the attacker can disrupt or disable site functionality by altering or deleting configuration and content through the hijacked account.

Back to search

HIGHCVE-2026-22342Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22342: WordPress WordPress Dating Theme theme <= 11.2.0 - Cross Site Request Forgery (CSRF) to Account Takeover vulnerability

Q: What is CVE-2026-22342?

A Cross-Site Request Forgery (CSRF) vulnerability affects the WordPress Dating Theme plugin by PremiumPress Limited at version 11.2.0 and earlier. The flaw is reachable over the network and requires no authentication from the attacker, but does require a victim to interact with a malicious link or page. Successful exploitation allows a remote attacker to perform account takeover, with high impact to confidentiality, integrity, and availability of the affected WordPress installation. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships one.

Q: Is CVE-2026-22342 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PremiumPress Limited publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version exists.

Unauthenticated Cross Site Request Forgery (CSRF) in WordPress Dating Theme <= 11.2.0 versions.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A Cross-Site Request Forgery (CSRF) vulnerability affects the WordPress Dating Theme plugin by PremiumPress Limited at version 11.2.0 and earlier. The flaw is reachable over the network and requires no authentication from the attacker, but does require a victim to interact with a malicious link or page. Successful exploitation allows a remote attacker to perform account takeover, with high impact to confidentiality, integrity, and availability of the affected WordPress installation. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-22342 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack and NVD. Coverage extends to custom-built images that bundle the WordPress Dating Theme plugin, not just images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each customer organization's compliance policy to surface prioritization accordingly. Triage routing is available to direct findings to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment PremiumPress Limited publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target WordPress site over the network; the vulnerable endpoint is exposed via standard HTTP/HTTPS.
AuthenticationNot required
No account or credentials are needed on the target site; the attack is launched entirely from an unauthenticated position.
Victim interactionRequired
A logged-in WordPress user must be socially engineered into visiting a malicious page or clicking a crafted link that triggers the forged request.
Attack complexityDetail
The exploit is reliable and condition-free once the victim interacts; no race conditions, special memory layout, or environmental factors are required.

Blast Radius

A successful attack allows the attacker to take over the victim's WordPress account, gaining full control of the account's session and permissions.
With high integrity impact, the attacker can modify persisted site content, user data, and plugin or theme settings under the victim's identity.
With high confidentiality impact, the attacker can read stored user profile data, private messages, and any session credentials accessible to the compromised account.
With high availability impact, the attacker can disrupt or disable site functionality by altering or deleting configuration and content through the hijacked account.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-22342 as of publication, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment PremiumPress Limited publishes a remediated version. In the interim, compensating controls are worth considering: network-policy rules that restrict access to the affected WordPress installation to known-good IP ranges, WAF rules that block cross-origin state-changing requests to the theme's endpoints, and disabling the Dating Theme plugin entirely if it is not in active use. For customers with auto-remediation enabled, once a fix version is published, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically, targeting a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments.

See how HarborGuard automates this

Affected packages

PremiumPress Limited. / WordPress Dating Theme
≤ 11.2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified