A vulnerability advisory was issued astir 2 WordPress themes recovered connected ThemeForest that could let a hacker to delete arbitrary files and inject malicious scripts into a website.
Two WordPress Themes Sold On ThemeForest
The 2 WordPress themes pinch vulnerabilities are sold connected ThemeForest and together they person complete a half cardinal sales.
The 2 themes are:
- Betheme taxable for WordPress (306,362 sales)
- The Enfold – Responsive Multi-Purpose Theme for WordPress (260,607 sales)
Betheme Theme for WordPress Vulnerability
Wordfence issued an advisory that The Betheme taxable contained a PHP Object Injection vulnerability that was rated arsenic a precocious threat.
Wordfence was discreet successful their explanation of nan vulnerability and offered nary specifications of nan circumstantial flaw. However, successful nan discourse of a WordPress theme, a PHP Object Injection vulnerability usually arises erstwhile a personification input is not decently filtered (sanitized) for unwanted uploads and inputs.
This is really Wordfence described it:
“The Betheme taxable for WordPress is susceptible to PHP Object Injection successful each versions up to, and including, 27.5.6 via deserialization of untrusted input of nan ‘mfn-page-items’ station meta value. This makes it imaginable for authenticated attackers, pinch contributor-level entree and above, to inject a PHP Object. No known POP concatenation is coming successful nan susceptible plugin.
If a POP concatenation is coming via an further plugin aliases taxable installed connected nan target system, it could let nan attacker to delete arbitrary files, retrieve delicate data, aliases execute code.”
Has Betheme Theme Been Patched?
Betheme Theme for WordPress has received a spot connected August 30, 2024. But Wordfence’s advisory isn’t acknowledging it. It’s imaginable that nan advisory needs to beryllium updated, not sure. Nevertheless, it’s recommended that users of nan Enfold taxable see updating their taxable to nan newest version, which is Version 27.5.7.1.
The Enfold – Responsive Multi-Purpose Theme for WordPress
The Enfold Responsive Multi-Purpose WordPress taxable contains a different flaw and was fixed a little severity standing of 6.4. That said, nan patient of nan taxable has not issued a hole for nan vulnerability.
A Stored Cross-Site Scripting (XSS) was discovered successful nan WordPress taxable from a flaw originating successful a nonaccomplishment to sanitize inputs.
Wordfence describes nan vulnerability:
“The Enfold – Responsive Multi-Purpose Theme taxable for WordPress is susceptible to Stored Cross-Site Scripting via nan ‘wrapper_class’ and ‘class’ parameters successful each versions up to, and including, 6.0.3 owed to insufficient input sanitization and output escaping. This makes it imaginable for authenticated attackers, pinch Contributor-level entree and above, to inject arbitrary web scripts successful pages that will execute whenever a personification accesses an injected page.”
Enfold Vulnerability Has Not Been Patched
The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched arsenic of this penning and remains vulnerable. The changelog documenting nan updates to nan taxable shows that it was past updated successful August 19, 2024.
Screenshot Of Enfold WordPress Theme’s Changelog
The Enfold – Responsive Multi-Purpose Theme for WordPress has not been patched arsenic of this penning and remains vulnerable.
Wordfence’s advisory warned:
“No known spot available. Please reappraisal nan vulnerability’s specifications successful extent and employment mitigations based connected your organization’s consequence tolerance. It whitethorn beryllium champion to uninstall nan affected package and find a replacement.”
Read nan advisories:
Betheme <= 27.5.6 – Authenticated (Contributor+) PHP Object Injection
Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and people Parameters
English (US) · 
Indonesian (ID) ·