CVE-2024-37412
Published: 02 January 2025
Summary
CVE-2024-37412 is a medium-severity CSRF (CWE-352) vulnerability in Blossomthemes Blossom Shop. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-37412 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blossom Shop WordPress theme developed by blossomthemes. The issue affects Blossom Shop from unknown initial versions through version 1.1.7.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. An attacker can exploit it by tricking an authenticated user into submitting a malicious request, potentially allowing unauthorized actions or state changes in the theme on the victim's behalf.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blossom-shop/vulnerability/wordpress-blossom-shop-theme-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-02.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37000
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through <= 1.1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress theme enables exploitation of web app via malicious link requiring user interaction for unauthorized state changes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates mechanisms like anti-CSRF tokens to ensure session authenticity, directly preventing forged requests that exploit the Blossom Shop theme's CSRF vulnerability.
SI-10 requires validation of information inputs such as CSRF tokens in user requests, blocking unauthorized state-changing actions via forged submissions.
SI-2 ensures timely identification, reporting, and patching of the specific CSRF flaw in Blossom Shop versions through 1.1.7, eliminating the vulnerability.