CVE-2022-3861
CVSS V2 None
CVSS V3 None
Description
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
Overview
- CVE ID
- CVE-2022-3861
- Assigner
- security@wordfence.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-21T13:15:10
- Last Modified Date
- 2022-11-30T15:31:38
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:muffingroup:betheme:*:*:*:*:*:wordpress:*:* | 1 | OR | 26.6 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-3861 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3861 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-11-21 14:00:16 | Added to TrackCVE | |||
| 2022-12-07 17:56:52 | 2022-11-21T13:15Z | 2022-11-21T13:15:10 | CVE Published Date | updated |
| 2022-12-07 17:56:52 | 2022-11-30T15:31:38 | CVE Modified Date | updated | |
| 2022-12-07 17:56:52 | Analyzed | Vulnerability Status | updated | |
| 2022-12-07 17:56:53 | CWE-502 | Weakness Enumeration | new | |
| 2022-12-07 17:56:54 | CPE Information | updated |