Bludit CMS CSRF in Plugin and Theme Management Endpoints (CVE-2026-27741)

Author: Beatriz Fresno Naumova, Ryan Chan (@RyanC34)

Date: 23/02/2026

Vendor: Bludit

Product: Bludit

Versions affected: ≤ 3.16.1

Component: /admin/uninstall-plugin/ and /admin/install-theme/ endpoints

CWE: CWE-352 – Cross-Site Request Forgery (CSRF)

Attack type: Remote

Impact: Cross-Site Request Forgery (CSRF) leading to unauthorized administrative actions

Description

Bludit versions up to and including 3.16.1 are affected by a Cross-Site Request Forgery (CSRF) vulnerability in the administrative endpoints responsible for plugin uninstallation and theme installation.

The application does not implement anti-CSRF tokens, SameSite protections, or request origin validation mechanisms for the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints.

An attacker can craft a malicious webpage that silently submits forged HTTP requests to these endpoints. If an authenticated administrator visits the attacker-controlled page, the browser automatically includes the active session cookies, resulting in unauthorized execution of administrative actions.

Successful exploitation may allow an attacker to uninstall legitimate plugins or install malicious themes, potentially leading to execution of untrusted code and compromise of system integrity.

Impact

Primary impact

Unauthorized administrative actions performed in the context of an authenticated administrator.

Consequences

Unauthorized plugin uninstallation
Installation of malicious themes
Execution of untrusted code
Loss of functionality
Compromise of system integrity

CVSS Details

CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score: 5.1 (Medium)

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score: 4.3 (Medium)

Solution

At the time of disclosure, no official patch was confirmed in the affected version range.

Recommendation

Implement anti-CSRF tokens for all state-changing administrative actions
Enforce SameSite cookie attributes
Validate Origin and Referer headers for administrative endpoints
Restrict administrative actions to POST requests with proper validation
Conduct a security review of all privileged endpoints

Mitigation

Apply CSRF protection mechanisms across all administrative routes
Use framework-level CSRF middleware where available
Implement Content Security Policy (CSP) to reduce exploitability
Monitor administrative actions for anomalies

Discoverers

Beatriz Fresno Naumova
Ryan Chan (@RyanC34)

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-27741
VulnCheck Advisory: https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints
Vendor Website: https://www.bludit.com/

PreviousPoC - CVE-2025-24054 - Windows NTLM Hash Disclosure / Spoofing NextBludit CMS Stored XSS in Post Content (CVE-2026-27742)

Last updated 17 hours ago

hashtagDescription

hashtagImpact

hashtagPrimary impact

hashtagConsequences

hashtagCVSS Details

hashtagSolution

hashtagRecommendation

hashtagMitigation

hashtagDiscoverers

hashtagReferences