8.8
CVE-2022-3861
- EPSS 3.33%
- Veröffentlicht 21.11.2022 13:15:10
- Zuletzt bearbeitet 21.11.2024 07:20:23
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginBetheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
Mögliche Gegenmaßnahme
Betheme: Update to version 26.6, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Theme
≫
Produkt
Betheme
Version
*-26.5.1.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Muffingroup ≫ Betheme SwPlatformwordpress Version < 26.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.33% | 0.869 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.