Vulnerability CVE-2022-3747


Published: 2022-11-29

Description:
The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

See advisories in our WLB2 database:
Topic
Author
Date
Low
WordPress BeTheme BeCustom 1.0.5.2 Cross Site Request Forgery
Julien Ahrens
15.11.2022

 References:
https://muffingroup.com/betheme/features/be-custom/
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2022-3747.txt
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3747

Copyright 2024, cxsecurity.com

 

Back to Top