Cyber Resilience

CVE-2024-37412

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0015 36.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37412 is a medium-severity CSRF (CWE-352) vulnerability in Blossomthemes Blossom Shop. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-37412 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blossom Shop WordPress theme developed by blossomthemes. The issue affects Blossom Shop from unknown initial versions through version 1.1.7.

The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. An attacker can exploit it by tricking an authenticated user into submitting a malicious request, potentially allowing unauthorized actions or state changes in the theme on the victim's behalf.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blossom-shop/vulnerability/wordpress-blossom-shop-theme-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-02.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through <= 1.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CSRF in public-facing WordPress theme enables exploitation of web app via malicious link requiring user interaction for unauthorized state changes.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Same vendor: Blossomthemes
CVE-2026-3857Shared CWE-352
CVE-2024-37937Shared CWE-352
CVE-2026-44925Shared CWE-352
CVE-2025-30555Shared CWE-352
CVE-2026-34394Shared CWE-352
CVE-2025-23990Shared CWE-352
CVE-2024-47100Shared CWE-352
CVE-2025-26545Shared CWE-352
CVE-2025-26963Shared CWE-352

Affected Assets

blossomthemes
blossom shop
≤ 1.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates mechanisms like anti-CSRF tokens to ensure session authenticity, directly preventing forged requests that exploit the Blossom Shop theme's CSRF vulnerability.

prevent

SI-10 requires validation of information inputs such as CSRF tokens in user requests, blocking unauthorized state-changing actions via forged submissions.

prevent

SI-2 ensures timely identification, reporting, and patching of the specific CSRF flaw in Blossom Shop versions through 1.1.7, eliminating the vulnerability.

References