CVE-2026-57655 is a Cross-Site Request Forgery (CWE-352) vulnerability in the Child Theme Wizard plugin by Jay Versluis, affecting versions up to and including 1.4. The vulnerability allows unauthenticated attackers to trick users into submitting unwanted requests that can modify application state, resulting in high integrity impact and low availability impact. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. No official remediation or patch information is currently provided by the vendor.

The vulnerability enables attackers to perform unauthorized actions by exploiting CSRF, potentially leading to modification of data or settings within the affected plugin. The integrity of the application can be compromised, though confidentiality is not impacted and availability impact is low. Since the vulnerability is unauthenticated and network accessible, it poses a significant risk if exploited.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider implementing CSRF protections at the application or web server level, such as verifying origin headers or using web application firewalls to detect and block CSRF attempts. Monitor vendor channels for updates and apply patches promptly once available.