CVE-2024-13769

Name of the Vulnerable Software and Affected Versions The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress versions up to, and including, 4.2.4

Description The issue is related to a missing capability check on the theme options ajax post action AJAX action, which allows authenticated attackers with Subscriber-level access and above to update the plugin's settings and inject malicious web scripts. This is a Stored Cross-Site Scripting issue. The developer has removed the software from the repository, and an update is not available.

Recommendations For versions up to, and including, 4.2.4, consider finding a replacement software as the developer has removed the theme from the repository and no update is available. As a temporary workaround, consider restricting access to the theme options ajax post action AJAX action to minimize the risk of exploitation.