A vulnerability advisory was issued about two WordPress themes discovered on ThemeForest that might permit a hacker to delete arbitrary recordsdata and inject malicious scripts into a web site.
Two WordPress Themes Bought On ThemeForest
The 2 WordPress themes with vulnerabilities are bought on ThemeForest and collectively they’ve over a half million gross sales.
The 2 themes are:
- Betheme theme for WordPress (306,362 gross sales)
- The Enfold – Responsive Multi-Objective Theme for WordPress (260,607 gross sales)
Betheme Theme for WordPress Vulnerability
Wordfence issued an advisory that The Betheme theme contained a PHP Object Injection vulnerability that was rated as a excessive menace.
Wordfence was discreet of their description of the vulnerability and supplied no particulars of the precise flaw. Nevertheless, within the context of a WordPress theme, a PHP Object Injection vulnerability normally arises when a person enter just isn’t correctly filtered (sanitized) for undesirable uploads and inputs.
That is how Wordfence described it:
“The Betheme theme for WordPress is weak to PHP Object Injection in all variations as much as, and together with, 27.5.6 through deserialization of untrusted enter of the ‘mfn-page-items’ submit meta worth. This makes it attainable for authenticated attackers, with contributor-level entry and above, to inject a PHP Object. No identified POP chain is current within the weak plugin.
If a POP chain is current through a further plugin or theme put in on the goal system, it may permit the attacker to delete arbitrary recordsdata, retrieve delicate knowledge, or execute code.”
Has Betheme Theme Been Patched?
Betheme Theme for WordPress has obtained a patch on August 30, 2024. However Wordfence’s advisory isn’t acknowledging it. It’s attainable that the advisory must be up to date, undecided. However, it’s really useful that customers of the Enfold theme take into account updating their theme to the most recent model, which is Model 27.5.7.1.
The Enfold – Responsive Multi-Objective Theme for WordPress
The Enfold Responsive Multi-Objective WordPress theme accommodates a unique flaw and was given a decrease severity score of 6.4. That stated, the writer of the theme has not issued a repair for the vulnerability.
A Saved Cross-Website Scripting (XSS) was found within the WordPress theme from a flaw originating in a failure to sanitize inputs.
Wordfence describes the vulnerability:
“The Enfold – Responsive Multi-Objective Theme theme for WordPress is weak to Saved Cross-Website Scripting through the ‘wrapper_class’ and ‘class’ parameters in all variations as much as, and together with, 6.0.3 as a consequence of inadequate enter sanitization and output escaping. This makes it attainable for authenticated attackers, with Contributor-level entry and above, to inject arbitrary internet scripts in pages that may execute every time a person accesses an injected web page.”
Enfold Vulnerability Has Not Been Patched
The Enfold – Responsive Multi-Objective Theme for WordPress has not been patched as of this writing and stays weak. The changelog documenting the updates to the theme reveals that it was final up to date in August 19, 2024.
Screenshot Of Enfold WordPress Theme’s Changelog
The Enfold – Responsive Multi-Objective Theme for WordPress has not been patched as of this writing and stays weak.
Wordfence’s advisory warned:
“No identified patch obtainable. Please evaluation the vulnerability’s particulars in depth and make use of mitigations based mostly in your group’s danger tolerance. It could be greatest to uninstall the affected software program and discover a substitute.”
Learn the advisories:
Betheme <= 27.5.6 – Authenticated (Contributor+) PHP Object Injection