CVE-2024-37458: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ExtendThemes Highlight theme affecting versions up to and including 1.0.29. The vulnerability was discovered by Dhabaleshwar Das and was disclosed on January 28, 2024, with CVE-2024-37458 being assigned (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue in the highlightadminajaxwelcomenoticedismiss() function, which lacks proper nonce validation. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) ([Patchstack](https://patchstack.com/database/wordpress/theme/highlight/vulnerability/wordpress-highlight-theme-1-0-29-cross-site-request-forgery-csrf-vulnerability?s_id=cve)).

The vulnerability allows unauthenticated attackers to perform actions on behalf of authenticated users by tricking them into clicking malicious links. Specifically, attackers can force administrators to dismiss notices without their explicit consent (Patchstack).

The vulnerability has been fixed in version 1.0.30 of the Highlight theme. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).