CVE-2024-37412

Medium

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0015 35.8th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through <= 1.1.7.

Security Summary

CVE-2024-37412 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blossom Shop WordPress theme developed by blossomthemes. The issue affects Blossom Shop from unknown initial versions through version 1.1.7.

The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. An attacker can exploit it by tricking an authenticated user into submitting a malicious request, potentially allowing unauthorized actions or state changes in the theme on the victim's behalf.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blossom-shop/vulnerability/wordpress-blossom-shop-theme-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-02.

Details

CWE(s): CWE-352

Affected Products

blossomthemes

blossom shop

≤ 1.1.8

References

https://patchstack.com/database/Wordpress/Theme/blossom-shop/vulnerability/wordpress-blossom-shop-theme-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com