Vulnerability Details : CVE-2022-3861
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
Vulnerability category: Execute code
Products affected by CVE-2022-3861
- cpe:2.3:a:muffingroup:betheme:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-3861
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-3861
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Wordfence |
CWE ids for CVE-2022-3861
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- security@wordfence.com (Secondary)
References for CVE-2022-3861
-
https://muffingroup.com/betheme/
Betheme - The Biggest WordPress & WooCommerce Theme with 650+ pre-built websitesProduct
-
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2022-3861.txt
advisories/CVE-2022-3861.txt at master · MrTuxracer/advisories · GitHubExploit;Third Party Advisory
-
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3861
Vulnerability Advisories Continued - WordfenceThird Party Advisory
Jump to