CVE-2022-3747: 
WordPress vulnerability analysis and mitigation

The BeCustom WordPress plugin (versions <= 1.0.5.2) was found to contain a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2022-3747. The vulnerability was discovered on October 28, 2022, by Julien Ahrens from RCE Security and was publicly disclosed on November 10, 2022. BeCustom is a built-in add-on for the BeTheme WordPress theme that allows users to rebrand WordPress Admin and customize dashboard features (GitHub Advisory).

The vulnerability stems from the plugin's lack of anti-CSRF protection on all of its functionalities. It has been assigned a CVSSv3 score of 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N), indicating a medium severity level. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (GitHub Advisory, WPScan).

If exploited, the vulnerability allows attackers to perform various unauthorized actions including setting custom brandings, enabling/disabling BeCustom features, modifying the WP Login view, and altering BeDashboard texts. These actions can be executed when a user with appropriate plugin access rights is tricked into visiting a malicious website while having an authenticated session (GitHub Advisory).

The vulnerability has been fixed in BeCustom version 1.0.5.3. Users are advised to update to this version or later to protect against potential CSRF attacks. The vendor released the fix without notification after being contacted through multiple channels including direct notification and an Envato support case (GitHub Advisory).