Betheme theme vulnerable to PHP Object Injection
CVE-2024-2694

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Betheme
Vendor: CVE Published:; 30 August 2024

Summary

The Betheme theme for WordPress is susceptible to a PHP Object Injection vulnerability across all versions up to and including 27.5.6. This issue arises from the deserialization of untrusted input originating from the 'mfn-page-items' post meta value. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious PHP objects. While no known payload object graph (POP) chain exists in the vulnerable plugin itself, the presence of a POP chain through additional plugins or themes installed on the target system could enable attackers to perform various actions, including deleting arbitrary files, accessing sensitive data, or executing unauthorized code.

Affected Version(s)

Betheme * <= 27.5.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/betheme-responsive-multipurp...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2024
Vulnerability Reserved
Mar 19, 2024

Credit

Francesco Carlucci