Cyber Resilience

CVE-2024-37435

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0017 38.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37435 is a medium-severity CSRF (CWE-352) vulnerability in Rarathemes Perfect Portfolio. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-37435 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Perfect Portfolio WordPress theme by Rara Theme. The flaw affects all versions of the theme from n/a through 1.2.0 and was published on 2025-01-02.

The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. Any remote attacker can exploit it by tricking an authenticated user into submitting a forged request, such as by visiting a malicious webpage, potentially enabling unauthorized actions on the victim's behalf.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/perfect-portfolio/vulnerability/wordpress-perfect-portfolio-theme-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the CSRF issue in Perfect Portfolio version 1.2.0 and provides vulnerability information for mitigation guidance.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in raratheme Perfect Portfolio perfect-portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through <= 1.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing WordPress theme enables exploitation of web apps (T1190) via malicious link requiring user interaction (T1204.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37450Same vendor: Rarathemes
CVE-2024-37503Same vendor: Rarathemes
CVE-2024-37508Same vendor: Rarathemes
CVE-2024-37451Same vendor: Rarathemes
CVE-2024-37937Same vendor: Rarathemes
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352

Affected Assets

rarathemes
perfect portfolio
≤ 1.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms such as anti-CSRF tokens or SameSite cookies, directly preventing exploitation of the CSRF vulnerability in the Perfect Portfolio theme.

prevent

SI-10 mandates validation of information inputs, enabling checks for valid CSRF tokens to reject forged requests targeting the vulnerable theme.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this CSRF vulnerability through patching the affected Perfect Portfolio theme versions.

References