A vulnerability advisory was issued about two WordPress themes discovered on ThemeForest that would enable a hacker to delete arbitrary information and inject malicious scripts into an internet site.
Two WordPress Themes Offered On ThemeForest
The 2 WordPress themes with vulnerabilities are bought on ThemeForest and collectively they’ve over a half million gross sales.
The 2 themes are:
- Betheme theme for WordPress (306,362 gross sales)
- The Enfold – Responsive Multi-Goal Theme for WordPress (260,607 gross sales)
Betheme Theme for WordPress Vulnerability
Wordfence issued an advisory that The Betheme theme contained a PHP Object Injection vulnerability that was rated as a excessive risk.
Wordfence was discreet of their description of the vulnerability and provided no particulars of the precise flaw. Nonetheless, within the context of a WordPress theme, a PHP Object Injection vulnerability often arises when a consumer enter just isn’t correctly filtered (sanitized) for undesirable uploads and inputs.
That is how Wordfence described it:
“The Betheme theme for WordPress is susceptible to PHP Object Injection in all variations as much as, and together with, 27.5.6 by way of deserialization of untrusted enter of the ‘mfn-page-items’ put up meta worth. This makes it attainable for authenticated attackers, with contributor-level entry and above, to inject a PHP Object. No identified POP chain is current within the susceptible plugin.
If a POP chain is current by way of a further plugin or theme put in on the goal system, it might enable the attacker to delete arbitrary information, retrieve delicate knowledge, or execute code.”
Has Betheme Theme Been Patched?
Betheme Theme for WordPress has obtained a patch on August 30, 2024. However Wordfence’s advisory isn’t acknowledging it. It’s attainable that the advisory must be up to date, undecided. Nonetheless, it’s really helpful that customers of the Enfold theme take into account updating their theme to the latest model, which is Model 27.5.7.1.
The Enfold – Responsive Multi-Goal Theme for WordPress
The Enfold Responsive Multi-Goal WordPress theme comprises a unique flaw and was given a decrease severity ranking of 6.4. That stated, the writer of the theme has not issued a repair for the vulnerability.
A Saved Cross-Web site Scripting (XSS) was found within the WordPress theme from a flaw originating in a failure to sanitize inputs.
Wordfence describes the vulnerability:
“The Enfold – Responsive Multi-Goal Theme theme for WordPress is susceptible to Saved Cross-Web site Scripting by way of the ‘wrapper_class’ and ‘class’ parameters in all variations as much as, and together with, 6.0.3 because of inadequate enter sanitization and output escaping. This makes it attainable for authenticated attackers, with Contributor-level entry and above, to inject arbitrary internet scripts in pages that can execute every time a consumer accesses an injected web page.”
Enfold Vulnerability Has Not Been Patched
The Enfold – Responsive Multi-Goal Theme for WordPress has not been patched as of this writing and stays susceptible. The changelog documenting the updates to the theme exhibits that it was final up to date in August 19, 2024.
Screenshot Of Enfold WordPress Theme’s Changelog
The Enfold – Responsive Multi-Goal Theme for WordPress has not been patched as of this writing and stays susceptible.
Wordfence’s advisory warned:
“No identified patch out there. Please assessment the vulnerability’s particulars in depth and make use of mitigations primarily based in your group’s danger tolerance. It might be greatest to uninstall the affected software program and discover a substitute.”
Learn the advisories:
Betheme <= 27.5.6 – Authenticated (Contributor+) PHP Object Injection