CVE-2024-37435

Medium

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0017 38.0th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in raratheme Perfect Portfolio perfect-portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through <= 1.2.0.

Security Summary

CVE-2024-37435 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Perfect Portfolio WordPress theme by Rara Theme. The flaw affects all versions of the theme from n/a through 1.2.0 and was published on 2025-01-02.

The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with unchanged scope, no confidentiality or availability impact, and low integrity impact. Any remote attacker can exploit it by tricking an authenticated user into submitting a forged request, such as by visiting a malicious webpage, potentially enabling unauthorized actions on the victim's behalf.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/perfect-portfolio/vulnerability/wordpress-perfect-portfolio-theme-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the CSRF issue in Perfect Portfolio version 1.2.0 and provides vulnerability information for mitigation guidance.

Details

CWE(s): CWE-352

Affected Products

rarathemes

perfect portfolio

≤ 1.2.1

References

https://patchstack.com/database/Wordpress/Theme/perfect-portfolio/vulnerability/wordpress-perfect-portfolio-theme-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com