CVE-2022-45077: 
WordPress vulnerability analysis and mitigation

CVE-2022-45077 is a PHP Object Injection vulnerability affecting the Betheme WordPress theme versions 26.5.1.4 and below. The vulnerability was discovered by Dave Jong and publicly disclosed on November 17, 2022. The issue affects authenticated users with subscriber or higher privileges who can potentially exploit the PHP object injection vulnerability in the theme (Patchstack).

The vulnerability occurs when the theme unserializes user input, which could allow low privilege users such as subscribers to perform PHP Object Injection when a suitable gadget is present. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a score of 6.3 (MEDIUM). The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (NVD, WPScan).

If successfully exploited, this vulnerability could allow attackers to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The high CVSS score indicates that the vulnerability poses significant risks to affected systems (Patchstack).

The vulnerability has been fixed in Betheme theme version 26.6. Users are strongly advised to update to version 26.6 or later to resolve the vulnerability. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).