A successful attack against an unpatched site hands the attacker full control of the web server, enabling theft of customer data, database contents, and credentials, as well as deployment of ransomware or use of the server in further attacks. WordPress sites frequently process customer contact forms, e-commerce transactions, or membership data, making a server compromise a potential trigger for breach notification obligations under GDPR, state privacy laws, or PCI-DSS depending on the site's function. With active exploitation confirmed by CISA, organizations that delay patching face not just technical risk but a demonstrated, ongoing threat.
You Are Affected If
You run the ThemeREX Addons (trx_addons) WordPress plugin version prior to 2.38.5 on any production WordPress instance
Your WordPress site is publicly accessible from the internet
The wp-admin/admin-ajax.php endpoint is reachable without WAF or IP-based access controls blocking unauthenticated external requests
You have not yet applied the patch released in trx_addons version 2.38.5
You applied a patch for CVE-2024-13448 but have not verified the fix was complete or re-validated after subsequent plugin updates
Board Talking Points
Attackers can compromise any of our public-facing WordPress sites running an unpatched ThemeREX plugin without needing a username or password — active attacks are confirmed by CISA.
Security teams should patch all affected WordPress installations to plugin version 2.38.5 or higher within 24 hours, or isolate affected sites until patching is complete.
Failure to patch leaves our web servers open to full takeover, including customer data theft and ransomware, with confirmed real-world exploitation already underway.
