CVE-2024-37435
Published: 02 January 2025
Summary
CVE-2024-37435 is a medium-severity CSRF (CWE-352) vulnerability in Rarathemes Perfect Portfolio. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-37435 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Perfect Portfolio WordPress theme by Rara Theme. The flaw affects all versions of the theme from n/a through 1.2.0 and was published on 2025-01-02.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. Any remote attacker can exploit it by tricking an authenticated user into submitting a forged request, such as by visiting a malicious webpage, potentially enabling unauthorized actions on the victim's behalf.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/perfect-portfolio/vulnerability/wordpress-perfect-portfolio-theme-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the CSRF issue in Perfect Portfolio version 1.2.0 and provides vulnerability information for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36925
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in raratheme Perfect Portfolio perfect-portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through <= 1.2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress theme enables exploitation of web apps (T1190) via malicious link requiring user interaction (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires session authenticity mechanisms such as anti-CSRF tokens or SameSite cookies, directly preventing exploitation of the CSRF vulnerability in the Perfect Portfolio theme.
SI-10 mandates validation of information inputs, enabling checks for valid CSRF tokens to reject forged requests targeting the vulnerable theme.
SI-2 ensures timely identification, reporting, and correction of flaws like this CSRF vulnerability through patching the affected Perfect Portfolio theme versions.