CVE-2024-37412 in Blossom Shop Plugin
Summary
by MITRE • 01/02/2025
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability identified as CVE-2024-37412 represents a critical Cross-Site Request Forgery flaw within the Blossom Shop WordPress theme, specifically impacting versions ranging from an unspecified starting point through 1.1.7. This CSRF vulnerability stems from the theme's failure to implement proper anti-forgery token mechanisms when processing user requests, creating a significant security risk for WordPress sites utilizing this theme. The flaw allows attackers to execute unauthorized actions on behalf of authenticated users who visit malicious websites or click on compromised links, potentially leading to unauthorized modifications of site settings, user account changes, or other malicious activities within the WordPress administration interface.
The technical nature of this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. The vulnerability exists because the Blossom Shop theme does not adequately validate the origin of requests submitted through its administrative interfaces, particularly in forms and AJAX endpoints that handle user modifications. Attackers can craft malicious requests that appear to originate from legitimate administrators, exploiting the trust relationship between the WordPress admin interface and authenticated users. This issue manifests when users navigate to compromised web pages while maintaining an active WordPress admin session, enabling the attacker to perform actions such as changing theme settings, modifying product information, or altering user permissions without the victim's knowledge or consent.
The operational impact of this vulnerability extends beyond simple data modification, as it can potentially lead to complete compromise of WordPress sites running the affected theme version. An attacker could leverage this vulnerability to escalate privileges, install malicious plugins, modify critical site configurations, or even establish persistent backdoors through unauthorized theme modifications. The risk is particularly elevated for sites where administrators frequently access the admin interface from shared or public computers, or when the theme is used in environments where users may inadvertently visit malicious websites. Additionally, the vulnerability affects not just individual user accounts but can potentially impact the entire site's integrity and security posture, making it a critical concern for WordPress site owners and security administrators.
Mitigation strategies for this CSRF vulnerability should prioritize immediate remediation through the official theme updates provided by Blossom Themes, as version 1.1.8 or later should contain the necessary patches to address the anti-forgery token implementation. Site administrators should also implement additional security measures including the use of security plugins that enhance CSRF protection, regular monitoring of theme and plugin updates, and implementation of web application firewalls that can detect and block suspicious request patterns. The WordPress security community should also consider implementing proper input validation and request origin checking mechanisms, aligning with ATT&CK technique T1213.002 for credential access and T1566.001 for social engineering approaches that exploit such vulnerabilities. Organizations should conduct comprehensive security audits of their WordPress installations to identify any other potentially vulnerable components and ensure that all administrative interfaces properly implement CSRF protection measures.