CVE-2024-13769 identifies a missing authorization vulnerability (CWE-862) in the ThemeREX Puzzles | WP Magazine / Review with Store WordPress theme, versions up to and including 4.2.4. The flaw exists in the AJAX action 'theme_options_ajax_post_action', which lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to update theme settings. This improper access control enables attackers to inject stored cross-site scripting (XSS) payloads into the theme's options, which are then rendered to site visitors or administrators, leading to persistent XSS attacks. The vulnerability is exploitable remotely without user interaction, leveraging the network attack vector with low attack complexity. The developer has removed the theme from the WordPress repository and has not provided a patch, recommending users to find an alternative theme. The CVSS 3.1 base score is 6.4 (medium), reflecting the impact on confidentiality and integrity but no impact on availability. The vulnerability’s scope is confined to sites using this specific theme, but given WordPress’s widespread use, the potential attack surface is significant. No known exploits in the wild have been reported yet, but the risk remains due to the lack of remediation and the ease of exploitation by authenticated users.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to escalate their influence by modifying theme settings and injecting malicious scripts, leading to stored XSS attacks. This can compromise user sessions, steal cookies, deface websites, or pivot to further attacks such as privilege escalation or malware deployment. The confidentiality of user data and the integrity of website content are at risk. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. E-commerce, media, and review websites using this theme are particularly vulnerable, potentially affecting customer trust and business operations. The absence of a patch and the theme’s removal from the repository complicate remediation, increasing the window of exposure. Attackers exploiting this vulnerability could also use it as a foothold for broader network compromise, especially in environments where WordPress is integrated with other critical systems.

Given the lack of an official patch, the primary mitigation is to immediately discontinue use of the vulnerable ThemeREX Puzzles theme and replace it with a well-maintained, secure alternative. Administrators should audit user roles and restrict Subscriber-level accounts from unnecessary access, possibly disabling or limiting AJAX actions via custom code or security plugins. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting 'theme_options_ajax_post_action'. Conduct thorough site scans for injected scripts and remove any malicious content. Regularly monitor logs for unusual activity related to AJAX endpoints. Educate site administrators about the risks of granting unnecessary privileges and enforce the principle of least privilege. Backup site data before making changes to enable recovery if needed. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of any injected scripts. Finally, keep all other WordPress components updated to reduce the overall attack surface.