CVE-2024-37469
Published: 02 January 2025
Summary
CVE-2024-37469 is a medium-severity CSRF (CWE-352) vulnerability in Creativethemes Blocksy. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-37469 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blocksy WordPress theme developed by creativethemeshq. The flaw allows CSRF attacks and affects Blocksy versions from n/a through 2.0.22. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating medium severity with no confidentiality impact but low integrity and availability effects.
Attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it demands user interaction, such as visiting a malicious site or clicking a forged link. Any unauthenticated remote attacker targeting users of affected Blocksy instances can trick authenticated victims into submitting unintended requests, potentially leading to unauthorized modifications or disruptions aligned with the low integrity and availability impacts.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blocksy/vulnerability/wordpress-blocksy-theme-1-9-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve provides details on this CSRF issue in the Blocksy theme.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36835
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in creativethemeshq Blocksy blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through <= 2.0.22.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing WordPress theme directly enables remote exploitation of web application (T1190) via forged requests requiring user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CSRF vulnerabilities like CVE-2024-37469 by requiring mechanisms such as synchronizer tokens to verify the authenticity of state-changing requests.
Addresses the specific CSRF flaw in Blocksy theme versions through n/a to 2.0.22 by identifying, prioritizing, and applying timely remediation such as vendor patches.
Provides input validation to check for required CSRF tokens or parameters in requests, rejecting forged submissions that lack proper validation.