A vulnerability advisory was issued about two WordPress themes found on ThemeForest that could allow a hacker to delete arbitrary files and inject malicious scripts into a website.
Two WordPress Themes Sold On ThemeForest
The two WordPress themes with vulnerabilities are sold on ThemeForest and together they have over a half million sales.
The two themes are:
- Betheme theme for WordPress (306,362 sales)
- The Enfold – Responsive Multi-Purpose Theme for WordPress (260,607 sales)
Betheme Theme for WordPress Vulnerability
Wordfence issued an advisory that The Betheme theme contained a PHP Object Injection vulnerability that was rated as a high threat.
Wordfence was discreet in their description of the vulnerability and offered no details of the specific flaw. However, in the context of a WordPress theme, a PHP Object Injection vulnerability usually arises when a user input is not properly filtered (sanitized) for unwanted uploads and inputs.
This is how Wordfence described it:
“The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the ‘mfn-page-items’ post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin.
If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”
Has Betheme Theme Been Patched?