SpicePress: Unsecured Upload Allows Malicious File Upload

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

SpicePress: Unsecured Upload Allows Malicious File Upload

CVE-2026-39621

Summary

An attacker can trick users into uploading a malicious file to a SpicePress website, potentially allowing them to take control of the server. This issue affects all versions of SpicePress up to 2.3.2.5. To protect your site, update to a patched version of SpicePress as soon as possible.

Original title

Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.

Original description

Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://patchstack.com/database/Wordpress/Theme/spicepress/vulnerability/wordpre...

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026