Themefy Bloggie up to version 2.0.8 contains a CSRF vulnerability (CWE-352) that enables reflected XSS attacks. The vulnerability allows an attacker to trick an authenticated user into executing unwanted actions via crafted requests. The CVSS 3.1 base score is 7.1, with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality, integrity, and availability impacts. No patch or vendor advisory is currently provided, and the product is not a cloud service.

Successful exploitation could allow an attacker to perform unauthorized actions on behalf of a user and execute reflected XSS attacks, potentially leading to user session compromise or other impacts related to reflected scripting. The vulnerability affects confidentiality, integrity, and availability at a low level but is significant due to the ability to perform actions without privileges. No known exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should exercise caution with untrusted links and consider implementing additional CSRF protections such as tokens or same-site cookies if possible. Monitor official Themefy communications for updates on patches or mitigations.