CVE-2024-37102
Published: 02 January 2025
Summary
CVE-2024-37102 is a medium-severity CSRF (CWE-352) vulnerability in Blossomthemes Vilva. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-37102 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blossom Themes Vilva WordPress theme. It affects Vilva versions from unspecified initial releases through 1.2.2. The issue enables forged requests to perform unauthorized actions within the theme's functionality.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no required privileges, and reliance on user interaction with unchanged scope. Unauthenticated attackers can exploit it by tricking authenticated users into submitting malicious requests, resulting in low-impact integrity effects such as unauthorized data modifications.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vilva/vulnerability/wordpress-vilva-theme-1-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve, which documents the issue and associated remediation steps for the affected theme versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37050
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vilva vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through <= 1.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress theme directly enables exploitation of a web application vulnerability for unauthorized actions (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 directly requires mechanisms like anti-CSRF tokens to protect the authenticity of web sessions against forged requests exploiting this vulnerability.
SI-10 mandates validation of information inputs, including CSRF tokens in theme requests, to block unauthorized forged actions.
SI-2 ensures timely identification, reporting, and correction of the specific CSRF flaw in the Vilva theme versions up to 1.2.2.