CVE-2022-3747

Name of the Vulnerable Software and Affected Versions Becustom plugin for WordPress versions up to, and including, 1.0.5.2

Description The issue is due to missing nonce validation when saving the plugin's settings, making it possible for unauthenticated attackers to update the plugin's settings, such as betheme url slug, replaced theme author, and betheme label, via a forged request. This can be achieved if attackers can trick a site administrator into performing an action, like clicking on a link.

Recommendations For versions up to, and including, 1.0.5.2, update to a version that includes nonce validation for the plugin's settings to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation.