The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
History

Fri, 07 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2022-11-21T12:45:46.108Z

Updated: 2025-02-07T20:32:20.436Z

Reserved: 2022-11-04T13:47:00.257Z

Link: CVE-2022-3861

cve-icon Vulnrichment

Updated: 2024-08-03T01:20:58.787Z

cve-icon NVD

Status : Modified

Published: 2022-11-21T13:15:10.273

Modified: 2024-11-21T07:20:23.063

Link: CVE-2022-3861

cve-icon Redhat

No data.