Cyber Resilience

CVE-2024-37469

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.0010 26.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37469 is a medium-severity CSRF (CWE-352) vulnerability in Creativethemes Blocksy. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-37469 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blocksy WordPress theme developed by creativethemeshq. The flaw allows CSRF attacks and affects Blocksy versions from n/a through 2.0.22. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating medium severity with no confidentiality impact but low integrity and availability effects.

Attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it demands user interaction, such as visiting a malicious site or clicking a forged link. Any unauthenticated remote attacker targeting users of affected Blocksy instances can trick authenticated victims into submitting unintended requests, potentially leading to unauthorized modifications or disruptions aligned with the low integrity and availability impacts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blocksy/vulnerability/wordpress-blocksy-theme-1-9-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve provides details on this CSRF issue in the Blocksy theme.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in creativethemeshq Blocksy blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through <= 2.0.22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF flaw in public-facing WordPress theme directly enables remote exploitation of web application (T1190) via forged requests requiring user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

creativethemes
blocksy
≤ 2.0.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CSRF vulnerabilities like CVE-2024-37469 by requiring mechanisms such as synchronizer tokens to verify the authenticity of state-changing requests.

prevent

Addresses the specific CSRF flaw in Blocksy theme versions through n/a to 2.0.22 by identifying, prioritizing, and applying timely remediation such as vendor patches.

prevent

Provides input validation to check for required CSRF tokens or parameters in requests, rejecting forged submissions that lack proper validation.

References