The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
Metrics
Affected Vendors & Products
References
History
Fri, 07 Feb 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|

Status: PUBLISHED
Assigner: Wordfence
Published: 2022-11-21T12:45:46.108Z
Updated: 2025-02-07T20:32:20.436Z
Reserved: 2022-11-04T13:47:00.257Z
Link: CVE-2022-3861

Updated: 2024-08-03T01:20:58.787Z

Status : Modified
Published: 2022-11-21T13:15:10.273
Modified: 2024-11-21T07:20:23.063
Link: CVE-2022-3861

No data.