CVE-2024-13769: 
WordPress vulnerability analysis and mitigation

The Puzzles WordPress Theme (WP Magazine/Review with Store) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13769) discovered in February 2024. The vulnerability affects all versions up to and including 4.2.4 due to a missing capability check on the 'themeoptionsajaxpostaction' AJAX action. The theme is used for movie review portals, games overview blogs, forums and online stores (NVD, ThemeForest).

The vulnerability stems from improper authorization controls in the theme's AJAX functionality, specifically in the 'themeoptionsajaxpostaction' action. This security flaw allows authenticated users with Subscriber-level access or higher to modify plugin settings and inject malicious web scripts. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N by NIST, while Wordfence assessed it at 6.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with Subscriber-level privileges to inject malicious web scripts through the theme's settings. This could potentially lead to stored cross-site scripting attacks affecting site administrators and other users who access the affected pages (NVD).

The developer has removed the software from the repository and no update is available to address this vulnerability. Users are recommended to find and implement a replacement theme for their WordPress installations (NVD, ThemeForest).