CVE-2024-37937
Published: 02 January 2025
Summary
CVE-2024-37937 is a medium-severity CSRF (CWE-352) vulnerability in Rarathemes Rara Business. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-37937 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Rara Business WordPress theme by Rara Theme (rara-business). The issue affects versions from n/a through 1.2.5, allowing CSRF attacks as described in the CVE details. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges required, and user interaction needed.
Attackers can exploit this vulnerability remotely by tricking authenticated users into submitting malicious requests via a crafted webpage, such as through social engineering. No privileges are needed from the attacker, but the victim must interact (e.g., click a link or visit a site). Exploitation leads to low integrity impact, potentially enabling unauthorized modifications to theme settings or data, with no effects on confidentiality or availability.
The Patchstack advisory provides further details on this WordPress theme vulnerability, including assessment and recommended actions, accessible at https://patchstack.com/database/Wordpress/Theme/rara-business/vulnerability/wordpress-rara-business-theme-1-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36588
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in raratheme Rara Business rara-business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through <= 1.2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress theme enables web app exploitation, typically delivered via crafted links/social engineering.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms such as anti-CSRF tokens to protect session authenticity, directly preventing forged requests in this WordPress theme vulnerability.
SI-10 enforces validation of information inputs, enabling verification of CSRF tokens to block unauthorized state-changing requests exploiting the theme.
SI-2 mandates identification and remediation of flaws like this CSRF vulnerability through timely patching of the affected Rara Business theme versions.