CVE-2024-13770

Name of the Vulnerable Software and Affected Versions The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress versions up to, and including, 4.2.4

Description The issue concerns PHP Object Injection via deserialization of untrusted input in the 'view more posts' AJAX action. This allows unauthenticated attackers to inject a PHP Object. However, without a POP chain present in the vulnerable software or an additional plugin/theme, the impact is limited. If a POP chain is present, it could enable actions like deleting arbitrary files, retrieving sensitive data, or executing code, depending on the chain. The software has been removed from the repository, and no update is available.

Recommendations For versions up to, and including, 4.2.4, consider finding a replacement software as the developer has removed it from the repository and no update is available. As a temporary workaround, consider disabling the 'view more posts' AJAX action until a replacement software is implemented. Restrict access to sensitive data and files to minimize potential damage in case of exploitation.