Cyber Resilience

CVE-2024-37102

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0022 45.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37102 is a medium-severity CSRF (CWE-352) vulnerability in Blossomthemes Vilva. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-37102 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blossom Themes Vilva WordPress theme. It affects Vilva versions from unspecified initial releases through 1.2.2. The issue enables forged requests to perform unauthorized actions within the theme's functionality.

The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no required privileges, and reliance on user interaction with unchanged scope. Unauthenticated attackers can exploit it by tricking authenticated users into submitting malicious requests, resulting in low-impact integrity effects such as unauthorized data modifications.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vilva/vulnerability/wordpress-vilva-theme-1-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve, which documents the issue and associated remediation steps for the affected theme versions.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vilva vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through <= 1.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF in public-facing WordPress theme directly enables exploitation of a web application vulnerability for unauthorized actions (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37412Same vendor: Blossomthemes
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

blossomthemes
vilva
≤ 1.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 directly requires mechanisms like anti-CSRF tokens to protect the authenticity of web sessions against forged requests exploiting this vulnerability.

prevent

SI-10 mandates validation of information inputs, including CSRF tokens in theme requests, to block unauthorized forged actions.

prevent

SI-2 ensures timely identification, reporting, and correction of the specific CSRF flaw in the Vilva theme versions up to 1.2.2.

References