CVE-2024-2694
Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object InjectionThe Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
We have discovered 58,540 live websites that are affected by CVE-2024-2694.
Affected Software
| Product | |
| Category | Wordpress Themes |
| Vulnerable Domains | 58,540 live websites (64% of BeTheme install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 319 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-502 Deserialization of Untrusted DataDetails
- Published - Aug 30, 2024
- Updated - Aug 30, 2024
Credits
- Francesco Carlucci (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-2694 United States | 12,309 websites |
 Germany | 7,298 websites |
 Italy | 4,078 websites |
 Brazil | 3,067 websites |
 France | 2,947 websites |
 Spain | 2,005 websites |
 Poland | 1,914 websites |
 GB | 1,889 websites |
 Netherlands | 1,706 websites |
 Russia | 1,408 websites |
Website Distribution by TLD
Number of websites using CVE-2024-2694| .com | 21,089 websites |
| .de | 4,359 websites |
| .it | 3,000 websites |
| .com.br | 2,983 websites |
| .org | 1,798 websites |
| .nl | 1,511 websites |
| .fr | 1,490 websites |
| .pl | 1,462 websites |
| .ru | 1,126 websites |
| .co.uk | 1,123 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-2694
Top websites that are affected by CVE-2024-2694. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.nl | United States | *,*** | |
| ******.fr | France | **,*** | |
| ****************************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| ***********.de | Germany | **,*** | |
| ***********.com |  Canada | ***,*** | |
| *******.**.ke |  Kenya | ***,*** |
FAQ
CVE-2024-2694 is Deserialization of Untrusted Data in BeTheme
A total of 58,540 websites have been identified as vulnerable to CVE-2024-2694, based on global website indexing conducted by WebTechSurvey.
The BeTheme is affected by the CVE-2024-2694 vulnerability.
BeTheme versions up to and including 27.5.6 are vulnerable to CVE-2024-2694.