CVE-2024-37469

Medium

Published: 02 January 2025

Published

02 January 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

EPSS Score 0.0010 26.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in creativethemeshq Blocksy blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through <= 2.0.22.

Security Summary

CVE-2024-37469 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Blocksy WordPress theme developed by creativethemeshq. The flaw allows CSRF attacks and affects Blocksy versions from n/a through 2.0.22. It carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating medium severity with no confidentiality impact but low integrity and availability effects.

Attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it demands user interaction, such as visiting a malicious site or clicking a forged link. Any unauthenticated remote attacker targeting users of affected Blocksy instances can trick authenticated victims into submitting unintended requests, potentially leading to unauthorized modifications or disruptions aligned with the low integrity and availability impacts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/blocksy/vulnerability/wordpress-blocksy-theme-1-9-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve provides details on this CSRF issue in the Blocksy theme.

Details

CWE(s): CWE-352

Affected Products

creativethemes

blocksy

≤ 2.0.23

References

https://patchstack.com/database/Wordpress/Theme/blocksy/vulnerability/wordpress-blocksy-theme-1-9-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com