CVE-2022-3861

Name of the Vulnerable Software and Affected Versions Betheme theme for WordPress versions up to, and including, 26.5.1.4

Description The issue concerns PHP Object Injection via deserialization of untrusted input. This is made possible through the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn builder import, mfn builder import page, importdata, importsinglepage, and importfromclipboard functions. Authenticated attackers with contributor level permissions and above can inject a PHP Object, potentially allowing them to execute code, retrieve sensitive data, or delete files if a POP chain is present.

Recommendations For versions up to, and including, 26.5.1.4, consider disabling the mfn builder import, mfn builder import page, importdata, importsinglepage, and importfromclipboard functions as a temporary workaround until a patch is available. Restrict access to the import, mfn-items-import-page, and mfn-items-import parameters to minimize the risk of exploitation. Avoid using these parameters in the affected functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.