CVE-2024-13770 is a critical PHP Object Injection vulnerability classified under CWE-502, affecting the ThemeREX Puzzles | WP Magazine / Review with Store WordPress Theme + RTL in all versions up to 4.2.4. The flaw stems from the insecure deserialization of untrusted input passed through the 'view_more_posts' AJAX action. Deserialization vulnerabilities occur when untrusted data is converted back into objects without proper validation, allowing attackers to craft malicious serialized objects that, when deserialized, can manipulate application logic or execute arbitrary code. In this case, unauthenticated attackers can inject PHP objects remotely. However, the theme itself does not contain a gadget chain (POP chain) that would enable direct exploitation. Exploitation depends on the presence of other plugins or themes installed on the WordPress site that contain such POP chains, which can be leveraged to perform destructive actions such as deleting arbitrary files, extracting sensitive information, or executing arbitrary code on the server. The developer has removed the theme from the WordPress repository and has not provided a patch, recommending users to find alternative themes. The vulnerability was published on February 13, 2025, and carries a CVSS 3.1 score of 8.1, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, and no user interaction needed. No known exploits are currently observed in the wild, but the risk remains significant due to the widespread use of WordPress themes and plugins and the potential for chained exploitation.

The impact of CVE-2024-13770 is substantial for organizations running WordPress sites using the vulnerable ThemeREX Puzzles theme, especially when combined with other plugins or themes that contain POP chains. Successful exploitation can lead to complete compromise of the affected web server, including unauthorized data disclosure, deletion of critical files, and remote code execution. This can result in website defacement, data breaches involving customer or business data, disruption of services, and potential pivoting to internal networks. Given WordPress's popularity as a CMS platform, many organizations, including media outlets, e-commerce sites, and review platforms, could be affected. The lack of an official patch and the removal of the theme from the repository complicate remediation efforts, increasing the window of exposure. Attackers do not require authentication or user interaction, making automated exploitation feasible if a suitable POP chain exists. This elevates the risk of large-scale attacks, especially on sites with multiple plugins and themes installed. The vulnerability's high CVSS score reflects its potential to severely impact confidentiality, integrity, and availability of affected systems.

Since no patch is available and the theme has been removed from the repository, the primary mitigation is to immediately discontinue use of the vulnerable ThemeREX Puzzles theme and replace it with a secure, actively maintained alternative. Site administrators should audit their WordPress installations for the presence of this theme and any other plugins or themes that may contain POP chains, minimizing the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious serialized payloads targeting the 'view_more_posts' AJAX action can provide temporary protection. Restricting or disabling AJAX endpoints that are not essential can reduce exposure. Regularly updating all WordPress components and removing unused plugins/themes reduces the risk of chained exploitation. Monitoring logs for suspicious deserialization attempts and anomalous AJAX requests is recommended. Additionally, applying the principle of least privilege to the web server and WordPress file permissions can limit the damage if exploitation occurs. Backup strategies should be reviewed to ensure rapid recovery in case of compromise. Finally, educating site administrators about the risks of untrusted deserialization and encouraging the use of secure coding practices in custom plugins/themes is important to prevent similar vulnerabilities.