Cyber Resilience

CVE-2024-37937

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0022 45.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37937 is a medium-severity CSRF (CWE-352) vulnerability in Rarathemes Rara Business. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-37937 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Rara Business WordPress theme by Rara Theme (rara-business). The issue affects versions from n/a through 1.2.5, allowing CSRF attacks as described in the CVE details. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges required, and user interaction needed.

Attackers can exploit this vulnerability remotely by tricking authenticated users into submitting malicious requests via a crafted webpage, such as through social engineering. No privileges are needed from the attacker, but the victim must interact (e.g., click a link or visit a site). Exploitation leads to low integrity impact, potentially enabling unauthorized modifications to theme settings or data, with no effects on confidentiality or availability.

The Patchstack advisory provides further details on this WordPress theme vulnerability, including assessment and recommended actions, accessible at https://patchstack.com/database/Wordpress/Theme/rara-business/vulnerability/wordpress-rara-business-theme-1-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in raratheme Rara Business rara-business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through <= 1.2.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CSRF in public-facing WordPress theme enables web app exploitation, typically delivered via crafted links/social engineering.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37450Same vendor: Rarathemes
CVE-2024-37503Same vendor: Rarathemes
CVE-2024-37508Same vendor: Rarathemes
CVE-2024-37451Same vendor: Rarathemes
CVE-2024-37435Same vendor: Rarathemes
CVE-2026-3857Shared CWE-352
CVE-2026-44925Shared CWE-352
CVE-2025-30555Shared CWE-352
CVE-2026-34394Shared CWE-352
CVE-2025-23990Shared CWE-352

Affected Assets

rarathemes
rara business
≤ 1.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms such as anti-CSRF tokens to protect session authenticity, directly preventing forged requests in this WordPress theme vulnerability.

prevent

SI-10 enforces validation of information inputs, enabling verification of CSRF tokens to block unauthorized state-changing requests exploiting the theme.

preventrecover

SI-2 mandates identification and remediation of flaws like this CSRF vulnerability through timely patching of the affected Rara Business theme versions.

References